在 Rails 3 中禁用 XSS 和 HTML 清理
我遇到一个问题,当我使用 activerecord 将富文本编辑器的内容保存到数据库中时,html 内容会被删除(我认为它会触发 html_safe )。我尝试重写内容字符串上的 html_safe 方法,但没有任何效果。
content = "<p>hello</p>"
@article.content = content
puts @article.content # "<p>hello</p>"
@article.save
puts @article.content # "<>hello</>"
如何覆盖 activerecord 中特定列的 html 剥离功能?
I'm having an issue where when I have the contents of my rich text editor saved into the database using activerecord the html content is stripped of the html contents (I think it fires html_safe on it). I tried overriding the html_safe method on the content string, but nothing works.
content = "<p>hello</p>"
@article.content = content
puts @article.content # "<p>hello</p>"
@article.save
puts @article.content # "<>hello</>"
How can you override the html stripping capabilities in activerecord for a particular column?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
正如弗兰克暴雪已经在他的答案,你让自己变得脆弱两XSS 攻击。
但是,如果您相信您的作者,并且该列是安全的两次显示,您可以在您的
Article模型中执行类似的操作As frank blizzard already said in his answer, you make your self vulnerable two XSS-Attacks.
But if you trust your authors, that this columns are safe two display, you can do something like this in your
Articlemodel您可以使用
raw(string)方法,但它会使您容易受到 XSS 攻击。另一种选择是深入研究 markdown。
You can use the
raw(string)method, but it would make you vunlerable against XSS attacks.Another option would be taking a deeper look into markdown.
事实证明,这个问题与 Rails 或 XSS 剥离无关。我的代码是修改一个字符串,然后将结果保存在其他地方,这导致原始输入被更改。我通过使用
string.dup复制原始字符串解决了这个问题,这样我就不会受到影响。Turns out the issue to this problem was nothing todo with Rails or the XSS stripping. The code that I had was modifying a string and then saving the results elsewhere which was causing the original input to be changed. I solved the problem by using
string.dupto copy over the original string so that I wasn't affected.应该有一个选项。
我鼓励您查看您正在使用的富文本编辑器的文档。
There should be an option for this.
I encourage you to take a look at the docs of the rich text editor that you are using.