Ruby on Rails:如何将字符串呈现为 HTML?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4576932/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Ruby on Rails: how to render a string as HTML?
提问by Tim
I have
我有
@str = "<b>Hi</b>"
and in my erb view:
在我看来:
<%= @str %>
What will display on the page is: <b>Hi</b>when what I really want is Hi. What's the ruby way to "interpret" a string as HTML markup?
页面上将显示的是:<b>Hi</b>当我真正想要的是Hi 时。将字符串“解释”为 HTML 标记的 ruby 方式是什么?
Edit: the case where
编辑:这种情况
@str = "<span class=\"classname\">hello</span>"
If in my view I do
如果在我看来我这样做
<%raw @str %>
The HTML source code is <span class=\"classname\">hello</span> where what I really want is <span class="classname">hello</span>(without the backslashes that were escaping the double quotes). What's the best way to "unescape" those double quotes?
HTML 源代码是<span class=\"classname\">hello</span> 我真正想要的地方<span class="classname">hello</span>(没有转义双引号的反斜杠)。“取消转义”那些双引号的最佳方法是什么?
回答by Jacob
UPDATE
更新
For security reason, it is recommended to use sanitizeinstead of html_safe. Link
出于安全原因,建议使用sanitize代替html_safe。关联
What's happening is that, as a security measure, Rails is escaping your string for you because it might have malicious code embedded in it. But if you tell Rails that your string is html_safe, it'll pass it right through.
实际情况是,作为一项安全措施,Rails 正在为您转义您的字符串,因为其中可能嵌入了恶意代码。但是如果你告诉 Rails 你的字符串是html_safe,它会直接通过它。
@str = "<b>Hi</b>".html_safe
<%= @str %>
OR
或者
@str = "<b>Hi</b>"
<%= @str.html_safe %>
Using rawworks fine, but all it's doing is converting the string to a string, and then calling html_safe. When I know I have a string, I prefer calling html_safe directly, because it skips an unnecessary step and makes it clearer what's going on. Details about string-escaping and XSS protection are in this Asciicast.
使用raw工作正常,但它所做的只是将字符串转换为字符串,然后调用 html_safe。当我知道我有一个字符串时,我更喜欢直接调用 html_safe,因为它跳过了一个不必要的步骤,并使发生的事情更清楚。有关字符串转义和 XSS 保护的详细信息在此 Asciicast 中。
回答by Michael Stum
回答by jibiel
回答by bcackerman
You can also use simple_format(@str)which removes malicious code. Read more here: http://api.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html#method-i-simple_format
您还可以使用simple_format(@str)which 删除恶意代码。在此处阅读更多信息:http: //api.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html#method-i-simple_format
回答by jmort253
You are mixing your business logic with your content. Instead, I'd recommend sending the data to your page and then using something like JQuery to place the data where you need it to go.
您将业务逻辑与内容混合在一起。相反,我建议将数据发送到您的页面,然后使用 JQuery 之类的东西将数据放置在您需要的位置。
This has the advantage of keeping all your HTML in the HTML pages where it belongs so your web designers can modify the HTML later without having to pour through server side code.
这具有将所有 HTML 保留在它所属的 HTML 页面中的优点,因此您的 Web 设计人员可以稍后修改 HTML,而无需倾注服务器端代码。
Or if you're not wanting to use JavaScript, you could try this:
或者如果你不想使用 JavaScript,你可以试试这个:
@str = "Hi"
<b><%= @str ></b>
At least this way your HTML is in the HTML page where it belongs.
至少这样你的 HTML 就在它所属的 HTML 页面中。
回答by Arman Ortega
Or you can try CGI.unescapeHTMLmethod.
或者你可以试试CGI.unescapeHTML方法。
CGI.unescapeHTML "<p>This is a Paragraph.</p>"
=> "<p>This is a Paragraph.</p>"
回答by Crash
@str = "<span class=\"classname\">hello</span>"If in my view I do
<%raw @str %>The HTML source code is<span class=\"classname\">hello</span>where what I really want is<span class="classname">hello</span>(without the backslashes that were escaping the double >quotes). What's the best way to "unescape" those double quotes?
@str = "<span class=\"classname\">hello</span>"如果在我看来我这样做
<%raw @str %>HTML 源代码是<span class=\"classname\">hello</span>我真正想要的地方<span class="classname">hello</span>(没有转义双 > 引号的反斜杠)。“取消转义”那些双引号的最佳方法是什么?
Solution: use double quotes inside of single quotes (or single inside of double) to avoid escaping with a backslash.
解决方案:在单引号内使用双引号(或在双引号内使用单引号)以避免使用反斜杠转义。
@str = '<span class="classname">hello</span>'
<%raw @str %>
回答by pjammer
since you are translating, and picking out your wanted code from a person's crappy coded file, could you use content_tag, in combo with your regex's.
既然您正在翻译,并从一个人的蹩脚编码文件中挑选出您想要的代码,您能否将 content_tag 与您的正则表达式结合使用。
Stealing from the api docs, you could interpolate this translated code into a content_taglike:
从 api 文档中窃取,您可以将此翻译后的代码插入到content_tag类似的内容中:
<%= content_tag translated_tag_type.to_sym, :class => "#{translated_class}" do -%>
<%= translated_text %>
<% end -%>
# => <div class="strong">Hello world!</div>
Not knowing your code, this kind of thinking will make sure your translated code is too compliant.
不知道你的代码,这种想法会确保你翻译的代码太合规了。
回答by G. A.
The html_safe version works well in Rails 4...
html_safe 版本在 Rails 4 中运行良好......
<%= "<center style=\"color: green; font-size: 1.1em\" > Administrators only </center>".html_safe if current_user.admin? %
>
