stackoom
  简体   繁体   中英

Prevent rails from converting special characters to HTML entities

 原文  2011-04-21 12:17:46       javascript/ html/ ruby/ ruby-on-rails-3

Question

I'm using the following helper function, but it seems to convert all the special characters in my JavaScript statement to HTML entities, rendering it useless and broken. Any suggestions? 

 def link_to_add_fields(name, f, association)
    new_object = f.object.class.reflect_on_association(association).klass.new
    fields = f.fields_for(association, new_object, :child_index => "new_#{association}") do |builder|
      render(association.to_s + "_fields", :f => builder)
    end
    link_to_function(name, h("add_fields(this, \"#{association}\", \"#{escape_javascript(fields)}\")"))
  end

The above generates a link like this (notice the conversions to $amp; - " etc: 

<a href="#" onclick="add_fields(this, &amp;quot;skills&amp;quot;, &amp;quot;&amp;lt;label for=\&amp;quot;user_skills_attributes_new_skills_name\&amp;quot;&amp;gt;Skill&amp;lt;\/label&amp;gt;\n&amp;lt;input data-autocomplete=\&amp;quot;/users/autocomplete_skills_vocab_name\&amp;quot; id=\&amp;quot;user_skills_attributes_new_skills_name\&amp;quot; name=\&amp;quot;user[skills_attributes][new_skills][name]\&amp;quot; size=\&amp;quot;30\&amp;quot; type=\&amp;quot;text\&amp;quot; /&amp;gt;&amp;lt;br /&amp;gt;\n&amp;lt;input id=\&amp;quot;user_skills_attributes_new_skills__destroy\&amp;quot; name=\&amp;quot;user[skills_attributes][new_skills][_destroy]\&amp;quot; type=\&amp;quot;hidden\&amp;quot; value=\&amp;quot;false\&amp;quot; /&amp;gt;&amp;lt;a href=\&amp;quot;#\&amp;quot; onclick=\&amp;quot;remove_fields(this); return false;\&amp;quot;&amp;gt;remove&amp;lt;\/a&amp;gt;&amp;quot;); return false;">Add a Skill</a>

EDIT/

Figured it out -- For Rails 3 remove h()

1 answers

solution1
 7 ACCPTED  2011-04-21 15:14:35

In Rails 2, output by default was not escaped. The h() method does this. In Rails 2 views, you often see the following: 

<%=h @object.field %>

However, in Rails 3 output is now escaped by default. You no longer need the h() method. In order to get unescaped output you have to use the raw method.

More information is available here: http://railscasts.com/episodes/204-xss-protection-in-rails-3

So basically in your case you were looking at Rails 2 code and the removal of the h() is needed to update it for Rails 3.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question prevent html special characters Prevent tooltip in converting HTML Entities Convert special characters to HTML entities, Laravel Converting special characters into html jquery or javascript Displaying special characters, HTML entities, unicode as is in rendered HTML Converting special characters from Javascript to Java prevent escaping special characters on textnode(JS-HTML) Return special characters in html correctly from JavaScript Special characters from json break html Prevent Conversion of HTML Entities
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM