stackoom
  简体   繁体   中英

Sinatra & HAML: auto-escape/convert unsafe HTML characters for a whole template?

 原文  2013-03-12 15:02:49       html/ ruby/ sinatra/ haml

Question

I've got a little sinatra app I'm using to run a basic website. The content for said site is being provided by a client, and most of it is coming out of PDFs. Since I'd rather not have to manually replace all the < with &lt; , and the & with &amp; , is there a way to configure HAML/Sinatra to do it for me automatically?

Basically, I have some blocks that look like this: 

%p
  large block of text here...
  multi-line so I can see it in my IDE...
  more lines here...

I'd like to just find some config option that tells HAML to go through all of the content and replace unsafe characters with their HTML entity counterparts.

I tried using the HTMLEntities gem, but this site has a lot of multi-line paragraphs, and I couldn't seem to get it to work. By that I mean that I would do something like this in my server.rb file: 

def "/some_url"
  @encoder = HTMLEntities.new
  haml :some_template
end

And in my template: 

%p
  = @encoder.encode("Really long multiline string...
    some more lines here...
    and more lines...")

And it would spit out an error about missing a closing ) .

2 answers

solution1
 6 ACCPTED  2013-03-12 17:52:29

You could use the :escaped filter : 

%p
  :escaped
    A block of text here that might
    contain & and <.

output: 

<p>
  A block of text here that might
  contain &amp; and &lt;.
</p>

It's not quite automatic, but might reduce the editing required.

solution2
 2  2013-03-12 15:12:34

Maybe you are looking for this: 

require 'cgi'
CGI::escapeHTML('unsafe string <script>kill() && destroy()</script>'
#=> "unsafe string &lt;script&gt;kill() &amp;&amp; destroy()&lt;/script&gt;"

EDIT

Now i actually get what you want. Just use :escape_html => true and you can wrap your text in ='...text here...' because all strings are implicitly escaped. 

require 'sinatra'

get '/' do
  haml :index, :escape_html => true
end

__END__

@@layout
!!! 5
%html
  %head
    %title Example
  %body
    = yield

@@index
%p
  ='Here is some <em>unsafe</em> HTML.'
  ='<script type="text/javascript">'
  ='killKittens() && destroyHumanity()'
  ='</script>'

Result: 

$ curl localhost:4567
<!DOCTYPE html>
<html>
  <head>
    <title>Example</title>
  </head>
  <body>
    <p>
      Here is some &lt;em&gt;unsafe&lt;/em&gt; HTML.
      &lt;script type=&quot;text/javascript&quot;&gt;
      killKittens() &amp;&amp; destroyHumanity()
      &lt;/script&gt;
    </p>
  </body>
</html>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question auto-escape to prevent XSS Does Javascript methods auto-escape quotes? Multi-language auto-escape in Freemarker Escape HTML in markdown in HAML How to escape HTML in HAML form? How to convert escape characters in HTML tags? Why these 5 (6?) characters are considered “unsafe” HTML characters? Escaping HTML Escape Characters Escape special characters in HTML html escape characters
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM