强制在Rails中的HTML转义3 [英] Forcing HTML Escaping in Rails 3
问题描述
我遇到一个问题,rails自动转义。它目前认为一个字符串是html_safe(它是),但是为了显示,我需要它仍然逃避html。这是字符串正在执行的步骤。
I'm running into an issue with the rails auto-escaping. It currently thinks a string is html_safe (which it is), but for display purposes I need it to still escape the html. Here's the steps the string is taking.
my_string = render(:partial => "set_string", :locals => {:item => @item})
<%= my_string %>
,部分基本上是
<h2>Page Header</h2>
<strong><%= item.name %></strong>
<%= item.body %>
etc
我的理解是,因为我直接在视图中显示文本h2等),它假定它是安全的,它也正确地转义了项目输出,这使得整个my_string安全。所以,当我尝试用
My understanding is that because I'm displaying text in a view directly (the h2, etc) it assumes it is safe, and it also properly escapes the item outputs, which makes the whole my_string safe. So, when I try to display it with the
<%= my_string %>
它不会转义剩余的html。我尝试添加h强制逃脱,但是没有工作。
It doesn't escape the remaining html. I tried adding h to force the escaping but that didn't work.
所以我的问题是,有没有办法强制html转义一个安全的字符串,而不是调用字符串上的东西,这将使它不安全?
So my question is, is there anyway to force html escaping of a safe string other than calling something on the string that will make it unsafe?
非常感谢您的帮助。
推荐答案
感谢Sebastien的建议,我想在这里得到真正的答案,而不是埋在评论中:
Thanks to Sebastien for the suggestion, I wanted to get the real answer here and not buried in the comments:
我看起来像这样:
<%= raw CGI::escapeHTML(my_string) %>
您需要原始调用,否则escapeHTML使字符串不安全,除了转义它自动逃脱双重转义。
You need the "raw" call otherwise the escapeHTML makes the string unsafe in addition to escaping it so the auto escape double escapes it.
这篇关于强制在Rails中的HTML转义3的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!