问题
I'm having an issue where when I have the contents of my rich text editor saved into the database using activerecord the html content is stripped of the html contents (I think it fires html_safe on it). I tried overriding the html_safe method on the content string, but nothing works.
content = "<p>hello</p>"
@article.content = content
puts @article.content # "<p>hello</p>"
@article.save
puts @article.content # "<>hello</>"
How can you override the html stripping capabilities in activerecord for a particular column?
回答1:
As frank blizzard already said in his answer, you make your self vulnerable two XSS-Attacks.
But if you trust your authors, that this columns are safe two display, you can do something like this in your Article model
class Article < ActiveRecord::Base
def content
attributes[:content].html_safe
end
end
回答2:
You can use the raw(string) method, but it would make you vunlerable against XSS attacks.
Another option would be taking a deeper look into markdown.
回答3:
Turns out the issue to this problem was nothing todo with Rails or the XSS stripping. The code that I had was modifying a string and then saving the results elsewhere which was causing the original input to be changed. I solved the problem by using string.dup to copy over the original string so that I wasn't affected.
回答4:
There should be an option for this.
I encourage you to take a look at the docs of the rich text editor that you are using.
来源:https://stackoverflow.com/questions/6951062/disable-xss-and-html-sanitization-in-rails-3