开发者

Why does the Rails sanitizer remove hrefs that contain capitalized URLs?

问答 作者:

An example:

[Dev]>   ActionController::Base.helpers.sanitize('<a 开发者_如何学Chref="http://google.com">test</a>')
=> '<a href="http://google.com">test</a>'
[Dev]>   ActionController::Base.helpers.sanitize('<a href="Http://google.com">test</a>')
=> '<a>test</a>'

Extremely frustrating!

This seems to be a bug in the method contains_bad_protocols? in action_controller/vendor/html-scanner/html/sanitizer.rb. This method is defined as:

def contains_bad_protocols?(attr_name, value)
    uri_attributes.include?(attr_name) && 
    (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ 
        && !allowed_protocols.include?(value.split(protocol_separator).first))
end

And allowed_protocols as:

self.allowed_protocols = Set.new(%w(ed2k ftp http https irc mailto news gopher nntp 
    telnet webcal xmpp callto feed svn urn aim rsync tag ssh sftp rtsp afs))

Thus:

allowed_protocols.include? 'http' => true
allowed_protocols.include? 'Http' => false

继续阅读:ruby-on-railssanitization

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9