我创建了一个应用程序,允许用户输入大量不同的数据(帖子、评论等)。 simple_format 目前对我有好处,我只是想防止疯狂的事情。我之前没有使用过 sanitize,在阅读了一些指南之后,我仍然对如何实施感到有点困惑。希望我能在这里得到一些指导。
假设我正在收集@post.body。如何删除任何 >用户可能输入的标签或
<%= sanatize(simple_format @post.body) %>
...但是我在哪里定义不允许使用哪些标签?在 Post 模型中还是在 sanitize_helper 中?这里正确的语法是什么?
I have created an application that allows for users to input lots of different data (posts, comments, etc.). The simple_format is good for me for now I just want to protect against crazy stuff. I haven't used sanitize before and after reading some guides I am still a little confused on how to implement. Hoping I can get some direction here.
Let's say I am collecting @post.body. How do I remove any <div> tags or <script> tags that might be entered by the user? I am assuming that in the view it would look something like this:
<%= sanatize(simple_format @post.body) %>
...but where do I define what tags aren't allowed? In the Post model or in a sanitize_helper? What is the correct syntax here?
发布评论
评论(1)
以下是 sanitize 方法的文档链接轨道 2.3.8。考虑到这一点,您将能够以这种方式定义允许的标签:
请注意,您也可以在 Rails 初始化程序中定义它们:
我希望您发现这很有帮助!
Here's the documentation link for the sanitize method in Rails 2.3.8. With that in mind you'll be able to define allowed tags in this way:
Note that you can define them also inside the Rails Initializer:
I hope you find this helpful!