如何最好地清理 ruby on Rails 中的字段
我目前有一个控制器从前端的 TinyMCE 捕获一些 html。如果我修补萤火虫,就可以提交脚本标签并将警报消息等注入到屏幕上。
编辑:目前我正在使用清理助手在模型中修复此问题:
require 'action_view'
class NotesController < AuthApplicationController
include ActionView::Helpers::SanitizeHelper
...
def update
params[:note][:content] = sanitize(params[:note][:content],
:tags => %w(a object p param h1 h2 h3 h4 h5 h6 br hr ul li img),
:attributes => %w(href name src type value width height data) );
@note.update_attributes(params[:note])
这在控制器中感觉很混乱。有更好的办法吗?即以某种方式集成此 ActiveRecord,以便我可以轻松指定在以类似于验证的方式保存之前对此字段和其他字段执行此操作?
感谢您的任何建议。
编辑:
在这里取得一些进展。
在我的 /Libs 下,我有
module SanitizeUtilities
def sanitize_tiny_mce(field)
ActionController::Base.helpers.sanitize(field,
:tags => %w(a b i strong em p param h1 h2 h3 h4 h5 h6 br hr ul li img),
:attributes => %w(href name src type value width height data) );
end
end
然后在我的模型中,代码折叠为
class MyModel < ActiveRecord::Base
include ::SanitizeUtilities
...
before_save :sanitize_content
...
def sanitize_content
self.content = sanitize_tiny_mce(self.content)
end
end
这似乎去除了不需要的标记,没有太多大惊小怪。
对 Rails 还很陌生,所以很紧张,我可能做错了什么。有人能看到这里潜在的缺点吗?
再次感谢
I currently have a controller capturing some html from TinyMCE on the front end. If I tinker with firebug it is possible to submit script tags and inject alert messages etc on to the screen.
edit: Currently I am fixing this in the model by using the sanitize helper:
require 'action_view'
class NotesController < AuthApplicationController
include ActionView::Helpers::SanitizeHelper
...
def update
params[:note][:content] = sanitize(params[:note][:content],
:tags => %w(a object p param h1 h2 h3 h4 h5 h6 br hr ul li img),
:attributes => %w(href name src type value width height data) );
@note.update_attributes(params[:note])
This feels messy in the controller. Is there a better way? I.e. somehow integrate this ActiveRecord so I can easily specify to do this to this and other fields before saving in a similar way to validation?
Thanks for any suggestions.
edit:
Making some progress here.
Under my /Libs I have
module SanitizeUtilities
def sanitize_tiny_mce(field)
ActionController::Base.helpers.sanitize(field,
:tags => %w(a b i strong em p param h1 h2 h3 h4 h5 h6 br hr ul li img),
:attributes => %w(href name src type value width height data) );
end
end
Then in my Models the code collapses to
class MyModel < ActiveRecord::Base
include ::SanitizeUtilities
...
before_save :sanitize_content
...
def sanitize_content
self.content = sanitize_tiny_mce(self.content)
end
end
This seems to strip out unwanted markup without too much fuss.
Pretty new to rails so nervous I might be doing something wrong. Can anybody see potential drawbacks here?
Thanks again
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我认为你这样做的方式很好,但如果你使用
before_save那么你可能仍然会失败验证(因为before_save在验证后被调用)。另外,您不一定必须将其放入自己的模块中,它可能只是您的类上的私有方法。像这样的东西:
I think the way you are doing it is fine, but if you are using
before_savethen you could potentially still fail validations (sincebefore_saveis called after validations). Also, you don't necessarily have to put it into it's own module, it could just be a private method on your class.Something like:
这个问题似乎已经得到解答,但对于任何来到这个问题的人来说,您可能需要考虑使用自定义变异器来使其更加透明。类似于:
这将确保内容在任何更改时都得到清理。
This question seems to be answered but for anyone coming to this you might want to consider using custom mutators to make this more transparent. Something like:
This will ensure the content is sanitized any time it's changed.