Rails sanitize
Posted 冰凌花花~
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Rails sanitize相关的知识,希望对你有一定的参考价值。
The SanitizeHelper module provides a set of methods for scrubbing text of undesired html elements. These helper methods extend Action View making them callable within your template files.
只允许 sanitize 方法中指定的标签和属性输出到页面,防止注入
sanitize(html, options = {})
Sanitizes HTML input, stripping all tags and attributes that aren‘t whitelisted.
It also strips href/src attributes with unsafe protocols like javascript:, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters.
The default sanitizer is Rails::Html::WhiteListSanitizer. See Rails HTML Sanitizers for more information.
Custom sanitization rules can also be provided.
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed. For example, the output may still contain unescaped characters like <, >, or &.
-
:tags- An array of allowed tags. -
:attributes- An array of allowed attributes. -
:scrubber- A Rails::Html scrubber or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes. -
module AnnouncementsHelper def safe_content(content) sanitize(content, tags: %w(b br)) end end
<p> <strong><%= t ‘content‘ %></strong> <%= safe_content @announcement.content %> </p>
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
以上是关于Rails sanitize的主要内容,如果未能解决你的问题,请参考以下文章
用于 ActiveRecord_Relation 的 Rails 未定义方法“sanitize_sql_array”