There are three basic approaches to this problem.

解决这个问题有三种基本方法。

1. use h()in your views. The downside here is that if you forget, you get pwnd.
2. Use a plugin that escapes content when it is saved. My plugin xss_terminatedoes this. Then you don't have to use h()in your views (mostly). There are others that work on the controller level. The downsides here are (a) if there's a bug in the escaping code, you could get XSS in your database; and (b) There are corner cases where you'll still want to use h().
3. Use a plugin that escapes content when it is displayed. CrossSiteSniperis probably the best known of these. This aliases your attributes so that when you call foo.name it escapes the content. There's a way around it if you need the content unescaped. I like this plugin but I'm not wild about letting XSS into my database in the first place...

1. h()在您的视图中使用。这里的缺点是如果你忘记了，你会得到 pwnd。
2. 使用在保存时转义内容的插件。我的插件xss_terminate 就是这样做的。然后你不必h()在你的视图中使用（大部分）。还有其他工作在控制器级别。这里的缺点是 (a) 如果转义代码中存在错误，您的数据库中可能会出现 XSS；(b) 在某些极端情况下，您仍然希望使用h().
3. 使用在显示时转义内容的插件。CrossSiteSniper可能是其中最著名的。这会为您的属性设置别名，以便在您调用 foo.name 时它会转义内容。如果您需要未转义的内容，有一种解决方法。我喜欢这个插件，但我并不想一开始就让 XSS 进入我的数据库......

Then there are some hybrid approaches.

然后有一些混合方法。

There's no reason why you can't use xss_terminate and CrossSiteSniper at the same time.

没有理由不能同时使用 xss_terminate 和 CrossSiteSniper。

There's also a ERb implementation called Erubisthat can be configured so that any call like <%= foo.name %>is escaped -- the equivalent of <%= h(foo.name) %>. Unfortunately, Erubis always seems to lag behind Rails and so using it can slow you down.

还有一个名为Erubis的 ERb 实现，可以对其进行配置，以便对任何类似的调用<%= foo.name %>进行转义——相当于<%= h(foo.name) %>. 不幸的是，Erubis 似乎总是落后于 Rails，因此使用它会减慢您的速度。

If you want to read more, I wrote a blog post (which Xavor kindly linked to) about using xss_terminate.

如果你想阅读更多，我写了一篇关于使用 xss_terminate的博客文章（Xavor 友情链接到）。

The his an alias for html_escape, which is a utility method for escaping all HTML tag characters:

的ħ是一个别名html_escape，这对于所有逸出HTML标记字符的实用方法：

html_escape('<script src=http://ha.ckers.org/xss.js></script>')
# => &lt;script src=http://ha.ckers.org/xss.js&gt;&lt;/script&gt;

If you need more control, go with the sanitizemethod, which can be used as a white-list of tags and attributes to allow:

如果您需要更多控制，请使用sanitize方法，该方法可用作标记和属性的白名单以允许：

sanitize(@article.body, :tags => %w(table tr td), :attributes => %w(id class style))

I would allow the user to input anything, store it as-is in the database, and escape when displaying it. That way you don't lose any information entered. You can always tweak the escaping logic later...

我将允许用户输入任何内容，将其按原样存储在数据库中，并在显示时转义。这样您就不会丢失任何输入的信息。您可以稍后随时调整转义逻辑...

Use the h method in your view template. Say you have a post object with a comment property:

在视图模板中使用 h 方法。假设您有一个带有 comment 属性的 post 对象：

<div class="comment">
    <%= h post.comment %>
</div>

Or with this plugin - no need for h 8)

或者使用这个插件 - 不需要 h 8)

http://railspikes.com/2008/1/28/auto-escaping-html-with-rails

http://railspikes.com/2008/1/28/auto-escaping-html-with-rails

I've just released a plugin called ActsAsSanitiledusing the Sanitizegem which can guarantee well-formedness as well being very configurable to what kind of HTML is allowed, all without munging user input or requiring anything to be remembered at the template level.

我刚刚使用Sanitizegem发布了一个名为ActsAsSanitiled的插件，它可以保证格式良好，并且可以非常配置允许使用的 HTML 类型，所有这些都不需要修改用户输入或需要在模板级别记住任何内容。