Rails 4,Flash消息中的链接不会被解析为HTML [英] Rails 4, link in flash message is not parsed as HTML
问题描述
flash [:notice] =%Q [请#{view_context。 link_to('创建一个新帐户',new_account_path)},之后您将可以创建订单。]。html_safe
这是布局中的Flash区域:
< div id =main_flash_area>
<%flash.each do | name,msg | %GT;
< div class =alert text-center alert-info>
< a class =closedata-dismiss =alert>& times; Закрыть< / A>
<%= msg%>
< / div>
<%end%>
< / div>
它有一种渲染成链接,但浏览器不会将其解析为链接。它显示为
请< a href =/ accounts / new>创建新帐户< / a>之后,您将能够创建订单。
生成的HTML:
< div id =main_flash_area>
< div class =alert text-center alert-info>
< a class =closedata-dismiss =alert>×Закрыть< / a>
请在&a; a href =/ accounts / new& gt创建一个新帐户& lt; / a& gt,之后您将能够创建订单。
< / div>
< / div>
如何使其成为正确的链接?我猜它逃脱了一个>标签。
您需要清理您的视图中的 msg 。
<%=清除(msg)%> ;
这将呈现视图中的链接而不是转义html。
<请注意,这将适用于您应用中的所有Flash消息。如果您在Flash消息中显示任何用户输入,则必须记住在将其显示为Rails之前将其转义为Rails自动转义将不适用。
请注意 sanitize helper不太容易, raw 帮助器,可以配置它。它可以自动使用链接,删除脚本标签默认提供一些保护,如果你的Flash中有用户内容,但你需要做一个完整的检查,以确保你不引入任何安全问题。查看Rails文档了解更多信息。
In controller I have the following flash message:
flash[:notice] = %Q[Please #{view_context.link_to('create a new account', new_account_path)}, after that you will be able to create orders.].html_safe
Here is flash area in layout:
<div id="main_flash_area">
<% flash.each do |name, msg| %>
<div class="alert text-center alert-info">
<a class="close" data-dismiss="alert">× Закрыть</a>
<%= msg %>
</div>
<% end %>
</div>
It kinda renders into a link, but browser doesn't parse it as a link though. It is displayed as
Please <a href="/accounts/new">create a new account</a>, after that you will be able to create orders.
The generated HTML:
<div id="main_flash_area">
<div class="alert text-center alert-info">
<a class="close" data-dismiss="alert">× Закрыть</a>
Please <a href="/accounts/new">create a new account</a>, after that you will be able to create orders.
</div>
</div>
How do I make it a proper link? I guess it escapes < a> tag at some point.
You need to sanitise your flash msg in the view.
<%= sanitize(msg) %>
This will render the link in the view rather than escaping the html.
Be aware that this will apply to all flash messages in your app. If you display any user input in the flash message you will have to remember to escape it before displaying it as Rails auto escaping will not apply.
Note the sanitize helper is less permissive that the raw helper and it can be configured. It works with links automatically, It removes script tags by default providing some protection if you have user content in your flash but you will need to do a full check to ensure you do not introduce any security issues. Check the Rails docs for more info.
这篇关于Rails 4,Flash消息中的链接不会被解析为HTML的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
