问题
I'm running Rails 4.2.x and I have the following problem.
The <title> of some pages are generated from user content. So I have to use the sanitize Rails helpers to properly clean it up.
But if the user writes something like "A & B", the title shown in browser is A & B which is wrong.
What's the correct way of escaping user content on the <title> tag using Rails? At least some special characters should be included...
回答1:
We can use CGi also
title = "A & B"
=> "A & B"
string = CGI.escapeHTML(title)
=> "A & B"
string = CGI.unescapeHTML(title)
=> "A & B"
Rails providing so many options to escape
Refer these links:
raw vs. html_safe vs. h to unescape html
How to HTML encode/escape a string? Is there a built-in?
If you want remove tags you can use SanitizeHelper
One more option : WhiteListSanitizer
white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
white_list_sanitizer.sanitize(s, tags: %w())
white_list_sanitizer.sanitize(s, tags: %w(table tr td), attributes: %w(id class style))
You can use Rails::Html::TargetScrubber also
回答2:
You can both sanitize and convert html entities to proper characters with a combination of sanitize and the htmlentities gem. This works for me in the console:
gem install htmlentities
then...
c = ActionController::Base::ApplicationController.new
dirty_content = "<script>content & tags</script>"
clean_but_with_entities = c.helpers.sanitize(dirty_content)
nice_looking = HTMLEntities.new.decode(clean_but_with_entities.to_str )
You end up with "content & tags". To make this easier to use I put this in application_controller:
helper_method :sanitize_and_decode
def sanitize_and_decode(str)
helpers.sanitize(str)
HTMLEntities.new.decode(str.to_str)
end
(to_str is to work around the SafeBuffer issue mentioned here)
来源:https://stackoverflow.com/questions/35625464/how-to-show-some-html-entities-on-title-tag-using-rails