Rails:link_to方法
[英]Rails: link_to method
问题描述
I have something like this: 
我有这样的事情:
<p>
<b>Tags:</b>
<%if @post.tags.count > 0%>
<%= @post.tags.collect {|c| (link_to c.name, c)}.join(", ")%>
<%else%>
Does not have any tags.
<%end%>
</p>
Which gives me 这给了我
Tags: <a href="/tags/1">Java</a>, <a href="/tags/2">CSS</a>
Instead of Java and CSS links. 而不是Java和CSS链接。 What am I missing? 我想念什么?
3 个解决方案
解决方案1
6 已采纳 2011-01-11 02:46:27
It's because strings in Rails 3 are, by default, not considered HTML-safe. 这是因为默认情况下,Rails 3中的字符串不被认为是HTML安全的。 See this blog post about it. 请参阅此博客文章 。
You can manually mark something as safe by calling .html_safe on it, which would make your code like so: 您可以通过调用.html_safe手动将其标记为安全,这将使您的代码如下所示:
<p>
<b>Tags:</b>
<%if @post.tags.count > 0%>
<%= @post.tags.collect {|c| (link_to c.name, c)}.join(", ").html_safe %>
<%else%>
Does not have any tags.
<%end%>
</p>
But I'd recommend doing this instead: 但我建议改为这样做:
<p>
<b>Tags:</b>
<% if @post.tags.count > 0%>
<% @post.tags.each_with_index do |tag, i| %>
<%= link_to h(tag.name), tag %><%= ', ' if i < @post.tags.size - 1 %>
<% end %>
<% else %>
Does not have any tags.
<%end%>
</p>
解决方案2
3 2011-01-11 02:44:47
I think html_safe is what you are looking for! 我认为html_safe是您想要的! So this would solve the problem (@post.tags.collect {|c| (link_to c.name, c)}.join(", ")).html_safe 因此,这可以解决问题(@ post.tags.collect {| c |(link_to c.name,c)}。join(“,”))。html_safe
解决方案3
1 2011-01-11 07:18:36
I think your tag names should be input by the user, right? 我认为您的标签名称应该由用户输入,对吗?
In this case, html_safe is not your first choice, as it gave full trust to the user. 在这种情况下, html_safe不是您的首选,因为它完全信任用户。 And your site would encounter XSS attacks. 并且您的站点将受到XSS攻击。
The better choice should be sanitize . 更好的选择应该是sanitize 。 See the reference here: http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html 请参阅此处的参考: http : //api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
As you only want to have links, the following line do what you want: 当您只想拥有链接时,以下行即可满足您的需求:
<%= sanitize @post.tags.collect {|c| (link_to strip_links(c.name), c)}.join(", "), :tags => %w(a) %>
Note the use of strip_links(c.name) , this removes all the links that input by the user. 注意使用strip_links(c.name) ,这将删除用户输入的所有链接。
Let's assume the tag names are: ["Product", " hi ", "bye"] 假设标签名称为:[“产品”,“ 嗨 ”,“再见”]
By just using .html_safe , the following would be shown: 通过仅使用.html_safe ,将显示以下内容:
<a href="/tags/1">Product</a>, <a href="/tags/2"><strong>hi</strong></a>, <a href="/tags/3"><a href='bad_site.com'>bye</a></a>
But using the mix of sanitize with strip_links, the following is the result: 但是,将sanitize与strip_links混合使用,结果如下:
<a href="/tags/1">Product</a>, <a href="/tags/2"><strong>hi</strong></a>, <a href="/tags/3">bye</a>
Or you could mix the use of strip_tags with .html_safe : 或者,您可以将strip_tags与.html_safe混合使用:
<%= @post.tags.collect {|c| (link_to strip_tags(c.name), c)}.join(", ").html_safe %>
This simply removes all tags in c.name before you call the html_safe. 只需在调用c.name之前删除c.name中的所有标签即可。
I would suggest (and you probably are doing already :D) removing all unwanted tags before storing into the database. 我建议(您可能已经在:D了)在存储到数据库之前删除所有不需要的标签。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.