html 在 link_to 中被转义
我正在尝试实现一个链接,单击后会将您标记为出席会议。此链接是助手中的一个方法:
def link_to_remote_registration(event_id)
down_image = "down_blanco.png"
up_image = "up_blanco.png"
unless registration.nil?
if registration.present == 1
up_image = "up_filled.png"
elsif registration.present == 0
down_image = "down_filled.png"
end
end
link_to_remote_registration = String.new
loading_and_complete = "Element.show('indicator_event_"+event_id.to_s+"'); Element.hide('vote_"+event_id.to_s+"')".html_safe
complete = "Element.hide('indicator_event_"+event_id.to_s+"'); Element.show('vote_"+event_id.to_s+"')".html_safe
link_to_remote_registration =
link_to(image_tag(up_image , :id => 'will_not_attend_event_'+ event_id.to_s , border => 0),
:url => new_registration_path(:present => 1, :event_id => event_id, :escape => false),
:remote => true,
:method => :put,
:loading => loading_and_complete,
:complete => complete)
return link_to_remote_registration
end
问题是,当我在视图中呈现链接时,某些 html 会被转义,从而导致链接无法工作。
<a href="/calendar?complete=Element.hide%28%27indicator_event_1%27%29%3B+Element.show%28%27vote_1%27%29&loading=Element.show%28%27indicator_event_1%27%29%3B+Element.hide%28%27vote_1%27%29&method=put&remote=true&url=%2Fregistrations%2Fnew%3Fevent_id%3D1%26present%3D1">
<img id="will_not_attend_event_1" border="0" src="/images/up_blanco.png?1198181114" alt="Up_blanco">
</a>
我认为这不是有效的网址。我想知道为什么会发生这种情况 - 我在完整和加载字符串上调用 html 转义。
问候
I'm trying to implement a link, when clicked marks you as present for a meeting. This link is a method in a helper:
def link_to_remote_registration(event_id)
down_image = "down_blanco.png"
up_image = "up_blanco.png"
unless registration.nil?
if registration.present == 1
up_image = "up_filled.png"
elsif registration.present == 0
down_image = "down_filled.png"
end
end
link_to_remote_registration = String.new
loading_and_complete = "Element.show('indicator_event_"+event_id.to_s+"'); Element.hide('vote_"+event_id.to_s+"')".html_safe
complete = "Element.hide('indicator_event_"+event_id.to_s+"'); Element.show('vote_"+event_id.to_s+"')".html_safe
link_to_remote_registration =
link_to(image_tag(up_image , :id => 'will_not_attend_event_'+ event_id.to_s , border => 0),
:url => new_registration_path(:present => 1, :event_id => event_id, :escape => false),
:remote => true,
:method => :put,
:loading => loading_and_complete,
:complete => complete)
return link_to_remote_registration
end
The problem is that when I render the link in my view some of the html gets escaped making the link not work.
<a href="/calendar?complete=Element.hide%28%27indicator_event_1%27%29%3B+Element.show%28%27vote_1%27%29&loading=Element.show%28%27indicator_event_1%27%29%3B+Element.hide%28%27vote_1%27%29&method=put&remote=true&url=%2Fregistrations%2Fnew%3Fevent_id%3D1%26present%3D1">
<img id="will_not_attend_event_1" border="0" src="/images/up_blanco.png?1198181114" alt="Up_blanco">
</a>
Which I think is not a valid url. I wonder why this happens - i call the html escape on the complete and loading string.
Regards
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
由于您是从助手传递 html,Rails 会对其进行清理以防止 XSS。您可以通过返回来覆盖它:
link_to_remote_registration.html_safehttp://railscasts .com/episodes/204-xss-protection-in-rails-3
Since you're passing the html from from a helper, Rails sanitizes it to protect from XSS. You can override it by returning:
link_to_remote_registration.html_safehttp://railscasts.com/episodes/204-xss-protection-in-rails-3
您还可以使用 raw() 而不是在系统范围内禁用 XSS。
You could also use raw() instead of disabling XSS system-wide.