zoukankan      html  css  js  c++  java
  • Rails sanitize

    The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.

    只允许 sanitize 方法中指定的标签和属性输出到页面,防止注入 

    sanitize(html, options = {})

    Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.

    It also strips href/src attributes with unsafe protocols like javascript:, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters.

    The default sanitizer is Rails::Html::WhiteListSanitizer. See Rails HTML Sanitizers for more information.

    Custom sanitization rules can also be provided.

    Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed. For example, the output may still contain unescaped characters like <>, or &.

    • :tags - An array of allowed tags.

    • :attributes - An array of allowed attributes.

    • :scrubber - A Rails::Html scrubber or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.

    module AnnouncementsHelper
      def safe_content(content)
        sanitize(content, tags: %w(b br))
      end
    end
    <p>
      <strong><%= t 'content' %></strong>
      <%= safe_content @announcement.content %>
    </p>


    http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html

  • 相关阅读:
    菜单、toast、对话框的使用
    对话框应用反射销毁
    java随机汉字生成
    Android从主界面退出
    Android获取网络状态
    ssh secure shell 乱码问题
    MongDB安装使用
    安装scrapy
    列表查找以及二分查找
    Tuple、list的区别以及dict和set
  • 原文地址:https://www.cnblogs.com/iwangzheng/p/6180124.html
Copyright © 2011-2022 走看看