如何纺织和清洁html? [英] How do I textile and sanitize html?
问题描述
-
html_escape(textilize(< / body> foo))将打破纺织品 -
textilize(html_escape(< / body& ))会工作,但打破各种纺织品功能,如链接(如$ code>Linkname:http://www.wheretogo.com/ ),因为报价将被转换为& quot;,因此不再被纺织品检测到。 -
sanitize没有做得更好。
有什么建议吗?我不想使用整理来解决这个问题。
提前感谢
对于那些遇到同样问题的人:如果您使用 RedCloth宝石你可以定义自己的方法(在您的一个助手中)。
def safe_textilize(s)
如果s && s.respond_to?(:to_s)
doc = RedCloth.new(s.to_s)
doc.filter_html = true
doc.to_html
end
end
文档摘录:
设置安全限制的访问者。
如果您在
公共场所(例如维基)中使用RedCloth进行格式化,那么这是一件好事
如果设置了
filter_html,那么未创建的HTML由纺织处理器将
转义。或者,如果设置了sanitize_html,则HTML可以通过Textile
处理器,但未经授权的标签和属性将被删除。
Now i ran into some stupid situation. I want the users to be able to use textile, but they shouldn't mess around with my valid HTML around their entry. So I have to escape the HTML somehow.
html_escape(textilize("</body>Foo"))would break textile whiletextilize(html_escape("</body>Foo"))would work, but breaks various Textile features like links (written like"Linkname":http://www.wheretogo.com/), since the quotes would be transformed into"and thus not detected by textile anymore.sanitizedoesn't do a better job.
Any suggestions on that one? I would prefer not to use Tidy for this problem. Thanks in advance.
For those who run into the same problem: If you are using the RedCloth gem you can just define your own method (in one of your helpers).
def safe_textilize( s )
if s && s.respond_to?(:to_s)
doc = RedCloth.new( s.to_s )
doc.filter_html = true
doc.to_html
end
end
Excerpt from the Documentation:
Accessors for setting security restrictions.
This is a nice thing if you‘re using RedCloth for formatting in public places (e.g. Wikis) where you don‘t want users to abuse HTML for bad things.
If
filter_htmlis set, HTML which wasn‘t created by the Textile processor will be escaped. Alternatively, ifsanitize_htmlis set, HTML can pass through the Textile processor but unauthorized tags and attributes will be removed.
这篇关于如何纺织和清洁html?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
