码迷,mamicode.com
首页 > 其他好文 > 详细

Rails sanitize

时间:2016-12-14 18:58:56      阅读:175      评论:0      收藏:0      [点我收藏+]

标签:put   ted   tin   prot   contain   amp   sse   help   javascrip   

 

 

The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.

只允许 sanitize 方法中指定的标签和属性输出到页面,防止注入 

sanitize(html, options = {})

 

Sanitizes HTML input, stripping all tags and attributes that aren‘t whitelisted.

It also strips href/src attributes with unsafe protocols like javascript:, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters.

The default sanitizer is Rails::Html::WhiteListSanitizer. See Rails HTML Sanitizers for more information.

Custom sanitization rules can also be provided.

Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed. For example, the output may still contain unescaped characters like <>, or &.

  • :tags - An array of allowed tags.

  • :attributes - An array of allowed attributes.

  • :scrubber - A Rails::Html scrubber or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.

  •  

 

module AnnouncementsHelper
  def safe_content(content)
    sanitize(content, tags: %w(b br))
  end
end

 

 

<p>
  <strong><%= t content %></strong>
  <%= safe_content @announcement.content %>
</p>

 

 


http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html

Rails sanitize

标签:put   ted   tin   prot   contain   amp   sse   help   javascrip   

原文地址:http://www.cnblogs.com/iwangzheng/p/6180124.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!