ruby-on-rails – 处理用户输入的代码 – 安全性

& --> &
 < --> &lt;
 > --> &gt;
 " --> &quot;
 ' --> &#x27;     &apos; not recommended because its not in the HTML spec (See: section 24.4.1) &apos; is in the XML and XHTML specs.
 / --> &#x2F;     forward slash is included as it helps end an HTML entity

这是他们所说的：

Rule #1 is for when you want to put untrusted data directly into the
HTML body somewhere. This includes inside normal tags like div,p,b,
td,etc. Most web frameworks have a method for HTML escaping for the
characters detailed below. However,this is absolutely not sufficient
for other HTML contexts. You need to implement the other rules
detailed here as well.

06001

Escape the following characters with HTML
entity encoding to prevent switching into any execution context,such
as script,style,or event handlers. Using hex entities is recommended
in the spec. In addition to the 5 characters significant in XML (&,<,>,“,‘),the forward slash is included as it helps to end an HTML entity.

06002

See the 07001 of HTML entity escaping and unescaping.

06003

我的样本实施(不是确定安全)

def sanitize_inside_tags(text)
    {"&"=>"amp","<"=>"lt",">"=>"gt","""=>"quot","'"=>"#x27","/"=>"#x2F"}.each do |char,replacement|
        text = text.gsub(char,"&#{replacement};")
    end
    return text
end

Rails Sanitize方法

这可能是您的最佳选择,因为它不仅是一个使用良好且经过测试的卫生库,而且还允许一些标签,例如< b>和朋友,以便您的用户可以安全地使用一些HTML标记.

在回答您的问题时,您可以安全地使用导轨卫生库,这可能是您的最佳选择.

如果你想剥离所有标签或允许更少,你可以查看custimization here.

语法Hilighting

正如@ImranAli在他的评论中所建议的那样,请查看this post并尝试查看列出的所有库.