Rails sanitize() 方法有多好? [英] How good is the Rails sanitize() method?

问题描述

我可以使用 ActionView::Helpers::SanitizeHelper#sanitize

Can I use ActionView::Helpers::SanitizeHelper#sanitize on user-entered text that I plan on showing to other users? E.g., will it properly handle all cases described on this site?

此外，文档中提到:

请注意消毒用户提供的文本不保证结果标记是有效的(符合文件类型)或甚至形式良好.输出可能还是包含例如未转义的 '<', '>', '&'字符并混淆浏览器.

Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ’<’, ’>’, ’&’ characters and confuse browsers.

处理这个问题的最佳方法是什么?在显示之前通过 Hpricot 传递经过消毒的文本?

What's the best way to handle this? Pass the sanitized text through Hpricot before displaying?

推荐答案

Ryan Grove 的 Sanitize 比 Rails 3 走得更远 <代码>消毒.它确保输出 HTML 格式正确，并具有三个内置白名单:

Ryan Grove's Sanitize goes a lot farther than Rails 3 sanitize. It ensures the output HTML is well-formed and has three built-in whitelists:

消毒::配置::限制只允许非常简单的内联格式标记.没有链接、图片或块元素.

Sanitize::Config::RESTRICTED Allows only very simple inline formatting markup. No links, images, or block elements.

消毒::配置::基本允许各种标记，包括格式化标签、链接和列表.不允许使用图片和表格，链接仅限于 FTP、HTTP、HTTPS 和 mailto 协议，并为所有链接添加一个属性以减少 SEO 垃圾邮件.

Sanitize::Config::BASIC Allows a variety of markup including formatting tags, links, and lists. Images and tables are not allowed, links are limited to FTP, HTTP, HTTPS, and mailto protocols, and a attribute is added to all links to mitigate SEO spam.

Sanitize::Config::RELAXED 允许使用比 BASIC 更广泛的标记，包括图像和表格.链接仍然仅限于 FTP、HTTP、HTTPS 和 mailto 协议，而图像仅限于 HTTP 和 HTTPS.在此模式下，不会添加到链接中.

Sanitize::Config::RELAXED Allows an even wider variety of markup than BASIC, including images and tables. Links are still limited to FTP, HTTP, HTTPS, and mailto protocols, while images are limited to HTTP and HTTPS. In this mode, is not added to links.

这篇关于Rails sanitize() 方法有多好?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！