如何转义html?
我使用 jQuery Markitup 来允许用户输入 html...所以他们可以输入如下内容:
<h1>Foo</h1>
<p>Foobar</p>
但是,我正在观看 http://railscasts.com/episodes/204-xss-protection-in-rails-3 并决定在输入中尝试这段代码:
<script>alert('test');</script>
令我惊讶的是,当我提交时表单并刷新页面,警报框就出来了。这是一个安全风险!
这就是我的看法:
<div><%= comment.description.html_safe %></div>
上面渲染了任何html,但也容易出现xss。所以我尝试了:
<div><%= html_safe(comment.description).html_safe %></div>
但是上面没有渲染任何html。它实际上将 html 显示为 text,这不是所需的行为。
我需要渲染 html,同时保护自己免受 xss 侵害。我该怎么办?
Im using jQuery Markitup to allow users to input html... So they can input stuff like:
<h1>Foo</h1>
<p>Foobar</p>
However, I was watching http://railscasts.com/episodes/204-xss-protection-in-rails-3 and decided to try this piece of code into the input:
<script>alert('test');</script>
To my amazement, when I submitted the form and refreshed the page, the alert box came out. This is a security risk!
This is what I have in my view:
<div><%= comment.description.html_safe %></div>
The above renders any html, but is also prone to xss. So I tried:
<div><%= html_safe(comment.description).html_safe %></div>
But the above does not render any html. It actually displays the html as text, which is not the desired behavior.
I need to render the html and at the same time protect myself from xss. How do I go about this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
尝试
更新:
要删除所有标签,请使用 strip_tags
Try
Update:
To remove ALL tags use strip_tags