在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称:rails/rails-html-sanitizer开源软件地址:https://github.com/rails/rails-html-sanitizer开源编程语言:Ruby 100.0%开源软件介绍:Rails Html SanitizersIn Rails 4.2 and above this gem will be responsible for sanitizing HTML fragments in Rails
applications, i.e. in the Rails Html Sanitizer is only intended to be used with Rails applications. If you need similar functionality in non Rails apps consider using Loofah directly (that's what handles sanitization under the hood). InstallationAdd this line to your application's Gemfile:
And then execute:
Or install it yourself as:
UsageA note on HTML entitiesRails::HTML sanitizers are intended to be used by the view layer, at page-render time. They are not intended to sanitize persisted strings that will sanitized again at page-render time. Proper HTML sanitization will replace some characters with HTML entities. For example, This is important to keep in mind because HTML entities will render improperly if they are sanitized twice. A concrete example showing the problem that can ariseImagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter If you sanitize this before persisting it in the database, the stored string will be When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities. Suggested alternativesYou might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer. That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using Loofah or Sanitize to customize how this sanitization works, including omitting HTML entities in the final string. If you really want to sanitize the string that's stored in your database, you may wish to look into Loofah::ActiveRecord rather than use the Rails::HTML sanitizers. SanitizersAll sanitizers respond to FullSanitizerfull_sanitizer = Rails::Html::FullSanitizer.new
full_sanitizer.sanitize("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
# => Bold no more! See more here... LinkSanitizerlink_sanitizer = Rails::Html::LinkSanitizer.new
link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
# => Only the link text will be kept. SafeListSanitizersafe_list_sanitizer = Rails::Html::SafeListSanitizer.new
# sanitize via an extensive safe list of allowed elements
safe_list_sanitizer.sanitize(@article.body)
# safe list only the supplied tags and attributes
safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
# safe list via a custom scrubber
safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
# safe list sanitizer can also sanitize css
safe_list_sanitizer.sanitize_css('background-color: #000;')
# fully prune nodes from the tree instead of stripping tags and leaving inner content
safe_list_sanitizer = Rails::Html::SafeListSanitizer.new(prune: true) ScrubbersScrubbers are objects responsible for removing nodes or attributes you don't want in your HTML document. This gem includes two scrubbers
|
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论