Ruby-on-rails 在 RoR 4 中带有验证的正则表达式
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17759735/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Regular expressions with validations in RoR 4
提问by malcoauri
There is the following code:
有以下代码:
class Product < ActiveRecord::Base
validates :title, :description, :image_url, presence: true
validates :price, numericality: {greater_than_or_equal_to: 0.01}
validates :title, uniqueness: true
validates :image_url, allow_blank: true, format: {
with: %r{\.(gif|jpg|png)$}i,
message: 'URL must point to GIT/JPG/PNG pictures'
}
end
It works, but when I try to test it using "rake test" I'll catch this message:
它有效,但是当我尝试使用“rake test”来测试它时,我会收到以下消息:
rake aborted!
The provided regular expression is using multiline anchors (^ or $), which may present a security risk. Did you mean to use \A and \z, or forgot to add the :multiline => true option?
What does it mean? How can I fix it?
这是什么意思?我该如何解决?
回答by oldergod
^and $are Start of Lineand End of Lineanchors. While \Aand \zare Permanent Start of Stringand End of Stringanchors.
See the difference:
^并且$是开始线和结束线的锚。虽然\A和\z是永久开始字符串和结束串的锚。
看到不同:
string = "abcde\nzzzz"
# => "abcde\nzzzz"
/^abcde$/ === string
# => true
/\Aabcde\z/ === string
# => false
So Rails is telling you, "Are you sure you want to use ^and $? Don't you want to use \Aand \zinstead?"
所以Rails 告诉你,“你确定要使用^and$吗?你不想使用\Aand\z吗?”
There is more on the rails security concern that generates this warning here.
回答by ole
This warning raises because your validation rule is vulnerable for javascript injection.
出现此警告是因为您的验证规则容易受到 javascript 注入的攻击。
In your case \.(gif|jpg|png)$matches till the end of the line. So your rule will validate this value pic.png\nalert(1);as true:
在您的情况下,\.(gif|jpg|png)$匹配到行尾。因此,您的规则会将此值验证pic.png\nalert(1);为 true:
"test.png\n<script>alert(1)</script>" === /\.(gif|jpg|png)$/i
# => true
"test.png\n<script>alert(1)</script>" === /\.(gif|jpg|png)\z/i
# => false
Read the acticles:
阅读动作:
回答by mcr
The problem regexp is not in devise, but rather lives in config/initializers/devise.rb. Change:
问题正则表达式不在设计中,而是在 config/initializers/devise.rb 中。改变:
# Regex to use to validate the email address
config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
to:
到:
# Regex to use to validate the email address
config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\Z/i
回答by yonosoytu
The warning is telling you that strings like the following will pass validation, but it is probably not what you want:
警告告诉您类似以下的字符串将通过验证,但这可能不是您想要的:
test = "image.gif\nthis is not an image"
re = /\.(gif|jpg|png)$/i
re.match(test) #=> #<MatchData ".gif" 1:"gif">
Both ^and $matches the start/end of any line, not the start/end of the string. \Aand \zmatches the start and the end of the full string, respectively.
无论^和$任何线路,而不是字符串的开始/结束的开始/结束匹配。\A并分别\z匹配完整字符串的开头和结尾。
re = /\.(gif|jpg|png)\z/i
re.match(test) #=> nil
The second part of the warning (“or forgot to add the :multiline => true option”) is telling you that if you actually want the behaviour of ^and $you can simply silence the warning passing the :multilineoption.
该警告的第二部分(“或忘了加:多=> true选项”)是告诉你,如果你真的想要的行为,^并且$你可以简单地沉默警告传递:multiline选项。
回答by max
If Ruby wants to see \zinstead of the $symbol sign, for security, you need to give it to him, then the code would look like this :
如果 Ruby 想要看到\z而不是$符号符号,为了安全起见,您需要将其提供给他,那么代码将如下所示:
validates :image_url, allow_blank: true, format: {with: %r{\.(gif|jpg|png)\z}i, message: 'URL must point to GIF, JPG, PNG.'}
