不要在 ruby on rails 中转义 html
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3932267/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Don't escape html in ruby on rails
提问by alexyorke
rails 3 seems to escape everything, including html. I have tried using raw() but it still escapes html. Is there a workaround? This is my helper that I am using (/helpers/application_helper.rb):
rails 3 似乎逃避了一切,包括 html。我试过使用 raw() 但它仍然会转义 html。有解决方法吗?这是我正在使用的助手 (/helpers/application_helper.rb):
module ApplicationHelper
def good_time(status = true)
res = ""
if status == true
res << "Status is true, with a long message attached..."
else
res << "Status is false, with another long message"
end
end
end
I am calling the helper in my view using this code:
我正在使用以下代码在我的视图中调用助手:
<%= raw(good_time(true)) %>
回答by Mischa
You can use .html_safelike this:
你可以这样使用.html_safe:
def good_time(status = true)
if status
"Status is true, with a long message attached...".html_safe
else
"Status is false, with another long message".html_safe
end
end
<%= good_time(true) %>
回答by DreadPirateShawn
I ran into this same thing and discovered a safer solution than using html_safe, especially once you introduce strings which are dynamic.
我遇到了同样的事情,并发现了比使用更安全的解决方案html_safe,尤其是在您引入动态字符串之后。
First, the updated code:
首先,更新后的代码:
def good_time(long_message1, long_message2, status = true)
html = "".html_safe
html << "Status is #{status}, "
if status
html << long_message1
else
html << long_message2
end
html
end
<%= good_time(true) %>
This escapes long_messagecontent if it is unsafe, but leaves it unescaped if it is safe.
long_message如果内容不安全,则它会转义内容,但如果它是安全的,则不会对其进行转义。
This allows "long message for success & such."to display properly, but also escapes "malicious message <script>alert('foo')</script>".
这允许"long message for success & such."正确显示,但也可以转义"malicious message <script>alert('foo')</script>"。
The explanation boils down to this -- 'foo'.html_safereturns an ActiveSupport::SafeBuffer which acts like a String in every way except one: When you append a String to a SafeBuffer (by calling + or <<), that other String is HTML-escaped before it is appended to the SafeBuffer. When you append another SafeBuffer to a SafeBuffer, no escaping will occur. Rails is rendering all of your views under the hood using SafeBuffers, so the updated method above ends up providing Rails with a SafeBuffer that we've controlled to perform escaping on the long_message"as-needed" rather than "always".
解释归结为这一点——'foo'.html_safe返回一个 ActiveSupport::SafeBuffer,它在任何方面都像一个字符串,除了一个:当你将一个字符串附加到一个 SafeBuffer 时(通过调用 + 或 <<),另一个字符串之前是 HTML 转义的它被附加到 SafeBuffer。当您将另一个 SafeBuffer 附加到 SafeBuffer 时,不会发生转义。Rails 使用 SafeBuffers 在幕后渲染所有视图,因此上面更新的方法最终为 Rails 提供了一个 SafeBuffer,我们已经控制它在long_message“按需”而不是“总是”上执行转义。
Now, the credit for this answer goes entirely to Henning Koch, and is explained in far more detail at Everything you know about html_safe is wrong-- my recap above attempts only to provide the essence of the explanation in the event that this link ever dies.
现在,这个答案的功劳完全归功于 Henning Koch,并且在你所知道的关于 html_safe 的一切都是错误的方面进行了更详细的解释——我上面的回顾只是试图在此链接消失的情况下提供解释的精髓.
