为什么Rails清理程序会删除包含大写URL的href?

时间:2010-11-21 21:10:17

标签: ruby-on-rails sanitization

一个例子:

[Dev]>   ActionController::Base.helpers.sanitize('<a href="http://google.com">test</a>')
=> '<a href="http://google.com">test</a>'
[Dev]>   ActionController::Base.helpers.sanitize('<a href="Http://google.com">test</a>')
=> '<a>test</a>'

非常令人沮丧!

1 个答案:

答案 0 :(得分:2)

这似乎是action_controller / vendor / html-scanner / html / sanitizer.rb中方法contains_bad_protocols?中的错误。此方法定义为:

def contains_bad_protocols?(attr_name, value)
    uri_attributes.include?(attr_name) && 
    (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ 
        && !allowed_protocols.include?(value.split(protocol_separator).first))
end

并且allowed_protocols为:

self.allowed_protocols = Set.new(%w(ed2k ftp http https irc mailto news gopher nntp 
    telnet webcal xmpp callto feed svn urn aim rsync tag ssh sftp rtsp afs))

因此:

allowed_protocols.include? 'http' => true
allowed_protocols.include? 'Http' => false
相关问题
最新问题