0

这是我的 posts/index.html.erb 文件的代码:

<!--
  Iterate over each post in list format
-->
  <% @posts.each do |post| %>       
    <ul class="posts">
    <!--
      Link to article, display date created, show edit, delete links if logged in
    -->
    <li><%= link_to "#{post.title}".html_safe, post, id: "article" %></li>
    <li id="date">  <%= post.created_at.strftime("%B %Y") %></li>

    <% if logged_in? %>
      <li>
        <%= link_to 'Edit', "/editor" + post_path(post), id: "edit_delete", data: {save_url: mercury_update_post_path(post)}  %>
        <%= link_to 'Delete', post, id: "edit_delete", :method => :delete %>    
      </li>
    <% end %>
  </ul>
<% end %>

在我的本地开发和生产环境中,关联的 css 样式表和 html 可以在浏览器中正确编译和呈现。但是,当我将此代码部署到 heroku 时,它会添加一些我之前删除的旧 HTML,如页面源代码所示:

    <!--
    Iterate over each post in list format
-->
            <ul class="posts">
                <!--
                    Link to article, display date created
                -->
                <li>    <a href="/posts/5" id="article"><b>Endurance Exercise is Bad for your Health?</b>
<div><b><br></b></div></a>  </li>
                <li id="date">  February 2013                                   </li>

                    <!--
                        Show edit, delete links if logged in
                    -->
            </ul>

请参阅<div><b><br></b></div>文章“耐力运动对您的健康有害?”链接标签中嵌入的标签。...任何人都知道为什么在生产中部署到heroku时将其放在那里?

4

1 回答 1

1

这是你的罪魁祸首。 "#{post.title}".html_safe

One of the posts that you are displaying has html tags in its title. It's a bad idea to call .html_safe to anything entered by a user. You should escape that using h(post.title) or sanitize the string first for accepted tags. Look at the sanitize helper

于 2013-02-26T00:00:59.157 回答