转义 HTML 输出但不换行
我的模型中有一个描述文本字段。 否,我想在展示页面上添加此描述。 但由于没有换行符,文本显得很难看。
如果我用
我最终得到了一些丑陋的代码。
raw(h(@place.description.gsub("\n","#linebreak#")).gsub("#linebreak#","<br/>"))
您有什么建议吗?
I have a description text field in my Model.
No I want to add this description on the show page.
But the text renders ugly because of no linebreaks.
If i replace them with <br/> then the rails escape them with.
So i tried to use the raw() method.
I want to escape bad HTML but have the linebreaks in my output.
I end up with some ugly code.
raw(h(@place.description.gsub("\n","#linebreak#")).gsub("#linebreak#","<br/>"))
Do you have any suggestions?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您应该使用 simple_format 帮助器:
http://api. rubyonrails.org/classes/ActionView/Helpers/TextHelper.html#method-i-simple_format
you should use the simple_format helper:
http://api.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html#method-i-simple_format
3 年后,但提供一个良好的工作解决方案永远不会太晚
这将转义除换行符之外的所有 HTML 字符(兼容 Linux、Windows 和 Mac)
3 years later, but it's never too late to provide a good working solution
This will escape all HTML chars but the newlines (compatible Linux, Windows and Mac)
是您要找的吗
?但转念一想,这样的
html_safe用法岂不是很容易让网站受到XSS攻击吗? (因为它假设描述是安全的)。没有更好的解决方案
因此,一开始我认为
,但实际上两个版本都可以工作。然后我通过向
description添加一些 HTML 标签进行测试,它被转义为<等,因此它确实可以防止 XSS 攻击。is what you are looking for
? But on second thought, doesn't the
html_safeusage like that make it easy for the site to get XSS attack? (because it assumes thedescriptionis safe).So won't a better solution be
at first I thought
is needed but actually both versions work. I then tested by adding some HTML tags to
descriptionand it got escaped into<etc, so it does prevent XSS attack.这是一个有效的解决方案:
更多阅读:
解析文本区域中的换行符不允许使用所有 html 标签
文档:
http:// /api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
来自 sanitize:
此清理助手将对所有标签进行 html 编码并去除所有未明确允许的属性。
它还会去除带有无效协议的 href/src 标签,例如 javascript: 特别是。它尽力对抗黑客可能使用的任何技巧,例如输入 unicode/ascii/hex 值来绕过 javascript: 过滤器。查看广泛的测试套件。
您可以使用 :tags 选项指定允许的标签,并使用 :attributes 选项指定属性。
Here's a solution that works:
More reading:
Parsing newline characters in textareas without allowing all html tags
Documentation:
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
From sanitize:
This sanitize helper will html encode all tags and strip all attributes that aren’t specifically allowed.
It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.
You can specify allowed tags with :tags option, and attributes with :attributes option.