1. 技术文章
  2. html is being escaped in link_to

html is being escaped in link_to

人走茶凉 提交于 2019-12-24 08:23:10

问题


I'm trying to implement a link, when clicked marks you as present for a meeting. This link is a method in a helper:

  def link_to_remote_registration(event_id)
    down_image = "down_blanco.png"
    up_image   = "up_blanco.png"

    unless registration.nil?
      if registration.present == 1
        up_image = "up_filled.png"
      elsif registration.present == 0
        down_image = "down_filled.png"
      end
    end

    link_to_remote_registration = String.new 
    loading_and_complete = "Element.show('indicator_event_"+event_id.to_s+"'); Element.hide('vote_"+event_id.to_s+"')".html_safe
    complete = "Element.hide('indicator_event_"+event_id.to_s+"'); Element.show('vote_"+event_id.to_s+"')".html_safe

    link_to_remote_registration =
      link_to(image_tag(up_image , :id =>  'will_not_attend_event_'+ event_id.to_s , border => 0),
      :url =>  new_registration_path(:present  => 1, :event_id => event_id, :escape => false),
      :remote => true,
      :method => :put,
      :loading => loading_and_complete,
      :complete => complete)

    return link_to_remote_registration
  end

The problem is that when I render the link in my view some of the html gets escaped making the link not work.

<a href="/calendar?complete=Element.hide%28%27indicator_event_1%27%29%3B+Element.show%28%27vote_1%27%29&loading=Element.show%28%27indicator_event_1%27%29%3B+Element.hide%28%27vote_1%27%29&method=put&remote=true&url=%2Fregistrations%2Fnew%3Fevent_id%3D1%26present%3D1">
<img id="will_not_attend_event_1" border="0" src="/images/up_blanco.png?1198181114" alt="Up_blanco">
</a>

Which I think is not a valid url. I wonder why this happens - i call the html escape on the complete and loading string.

Regards


回答1:


Since you're passing the html from from a helper, Rails sanitizes it to protect from XSS. You can override it by returning:

link_to_remote_registration.html_safe

http://railscasts.com/episodes/204-xss-protection-in-rails-3




回答2:


You could also use raw() instead of disabling XSS system-wide.

raw(image_tag(up_image , :id =>  'will_not_attend_event_'+ event_id.to_s , border => 0))


来源:https://stackoverflow.com/questions/5619577/html-is-being-escaped-in-link-to

标签
ruby-on-rails
ajax
ruby-on-rails-3
helper
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!