We want to let our users use html entities in their content, but don't want to be exposed to the scripting attacks. So, we use following:
我们希望让我们的用户在其内容中使用html实体,但不希望暴露于脚本攻击。所以,我们使用以下内容:
strip_tags(unsafe_string).html_safe
As far as I understand it should be safe, as long as no valid tag should appear in the output. On the other hand, I can image situation when browser will render an invalid tag, which won't be sanitized by the helper. Should I be concerned about that?
据我所知,只要输出中不出现有效标签,它应该是安全的。另一方面,当浏览器呈现无效标记时,我可以对图像进行成像,这些标记将不会被帮助程序清理。我应该关注那个吗?
Thanks.
1 个解决方案
#1
0
Apparently it is not supposed to escape & or <, so its html_safe being false is supposed to be correct. So you should not mark it as html_safe.
显然它不应该逃脱&或<,所以它的html_safe是假的应该是正确的。所以你不应该把它标记为html_safe。
However, recent version of Rails starts to escape these two characters, and this is considered a bug, but was not fixed yet as of Rails 4.2.5.2 (https://github.com/rails/rails-html-sanitizer/issues/28)
但是,最近版本的Rails开始逃避这两个字符,这被认为是一个bug,但是从Rails 4.2.5.2开始还没有修复(https://github.com/rails/rails-html-sanitizer/issues/ 28)
#1
0
Apparently it is not supposed to escape & or <, so its html_safe being false is supposed to be correct. So you should not mark it as html_safe.
显然它不应该逃脱&或<,所以它的html_safe是假的应该是正确的。所以你不应该把它标记为html_safe。
However, recent version of Rails starts to escape these two characters, and this is considered a bug, but was not fixed yet as of Rails 4.2.5.2 (https://github.com/rails/rails-html-sanitizer/issues/28)
但是,最近版本的Rails开始逃避这两个字符,这被认为是一个bug,但是从Rails 4.2.5.2开始还没有修复(https://github.com/rails/rails-html-sanitizer/issues/ 28)