在Rails 3中禁用XSS和HTML清理
[英]Disable XSS and HTML Sanitization in Rails 3
问题描述
I'm having an issue where when I have the contents of my rich text editor saved into the database using activerecord the html content is stripped of the html contents (I think it fires html_safe on it). 
我遇到一个问题,当我使用activerecord将富文本编辑器的内容保存到数据库中时,会从html内容中删除html内容(我认为它会触发html_safe)。 I tried overriding the html_safe method on the content string, but nothing works. 我尝试覆盖内容字符串上的html_safe方法,但没有任何效果。
content = "<p>hello</p>"
@article.content = content
puts @article.content # "<p>hello</p>"
@article.save
puts @article.content # "<>hello</>"
How can you override the html stripping capabilities in activerecord for a particular column? 如何覆盖ActiveRecord中特定列的html剥离功能?
4 个解决方案
解决方案1
1 2011-08-05 22:43:50
As frank blizzard already said in his answer , you make your self vulnerable two XSS-Attacks. 正如弗兰克·暴雪(Frank blizzard)在他的回答中已经说过的那样,您使自己容易受到攻击的两个XSS-Attacks。
But if you trust your authors, that this columns are safe two display, you can do something like this in your Article model 但是,如果您相信作者,那么此列是可以安全显示的两栏,则可以在Article模型中执行类似的操作
class Article < ActiveRecord::Base
def content
attributes[:content].html_safe
end
end
解决方案2
0 已采纳 2012-08-15 02:44:26
Turns out the issue to this problem was nothing todo with Rails or the XSS stripping. 事实证明,此问题与Rails或XSS剥离无关。 The code that I had was modifying a string and then saving the results elsewhere which was causing the original input to be changed. 我的代码正在修改一个字符串,然后将结果保存到其他位置,这导致原始输入被更改。 I solved the problem by using string.dup to copy over the original string so that I wasn't affected. 我通过使用string.dup复制原始字符串来解决了问题,因此我没有受到影响。
解决方案3
0 2011-08-05 08:15:46
解决方案4
-3 2011-08-05 05:46:54
There should be an option for this. 应该有一个选择。
I encourage you to take a look at the docs of the rich text editor that you are using. 我鼓励您看一下正在使用的RTF编辑器的文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.