我如何允许< source>通过导轨标签4消毒吗? [英] How can I allow <source> tags through rails 4 sanitize?

问题描述

我一直在Rails 4应用程序中使用sanitize方法来擦洗显示用户生成的html的页面，以防止脚本注入等不安全的事情.所以我有一个看起来像这样的视图:

I've been using the sanitize method in a Rails 4 app to scrub a page which displays html that users generate to prevent unsafe things like script injection. So I have a view that looks like:

sanitize @user_input

现在，当用户在视频标签下输入带有源标签的视频标签时，出现了这样的问题:

Right now I'm having issues when uses are entering video tags with a source tag under it like so:

<video><source src="foo.bar"></video>

不幸的是，似乎sanitize正在剥离源代码，因此视频不再起作用.我如何使用清理功能以允许源标签?另外，如何获取允许/禁止的标签列表?了解幕后的发展真是太好了.

Unfortunately it looks like sanitize is stripping out the source tag so videos are no longer working. How do I use sanitize so it allows source tags? Also how can I get a list of tags that are being allowed/dis-allowed? It'd be great to understand what is going under the hood.

请明确说明，我希望能够将源代码标签添加到白名单中.当我在清除参数中将其指定为允许的标签时，它将删除所有列入白名单的标签的默认设置.例如，我仍然希望允许使用默认标签，例如a，h1等.

Just to be fully clear, I'd like to be able to add the source tag to the whitelist. When I specify it as as an allowed tag in the arguments for sanitize it removes all the previous defaults for whitelisted tags. For example, I'd still like to allow default tags like a, h1, etc.

如何将源添加到白名单而不是完成替换?

推荐答案

在深入研究源代码之后，我发现允许使用的默认元素列表基于丝瓜络的WhiteList Sanitize

After digging through the source I've found that the list of default elements allowed is based on Loofah's WhiteList Sanitize

• 默认标签:Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2
• 默认属性:Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES

• Defaults tags: Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2
• Default attributes: Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES

因此要将<source>添加到默认列表中，您可以执行以下操作:

So to add <source> to the default list you could the following:

default_tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2.add('source')
default_attributes = Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES
sanitize @user_input, tags: default_tags, attributes: default_attributes

这篇关于我如何允许< source>通过导轨标签4消毒吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！