0

我们使用了 Sanitize gem 和 HTMLEntities 的组合来清理用户输入的 HTML。Sanitize 宝石使用 Hpricot,但现在使用 Nokogiri。我需要让 Hpricot 退出应用程序。

这是两个测试字符串,每个字符串后跟我期望的输出:

测试字符串 1:

"SOME TEXT < '<span style='background-image: url(\"http://evil.ru/webbug.png\")'>MORE' & TEXT!!!</span>"

expected_text = "SOME TEXT < 'MORE' & TEXT!!!"

第二个测试字符串(路径略有不同):

'Support <i>odd</i> chars like " < \' ‽'

expected_text = 'Support <i>odd</i> chars like &quot; &lt; &#39; ‽'

这是你解决的问题吗?你用了什么工具?

4

1 回答 1

2

You may want to try the Loofah gem:

Loofah.document("SOME TEXT < '<span style='background-image: url(\"http://evil.ru/webbug.png\")'>MORE' & TEXT!!!</span>").to_html
=> "SOME TEXT MORE' &amp; TEXT!!!"

Loofah isn't handling the unicode character in the second example for some reason, but I'd be happy to look into it if you file a Github Issue on Loofah (full disclosure: I'm the author of Loofah and co-author of Nokogiri).

Some more links:

于 2012-07-13T18:48:35.087 回答