我正在尝试实施一个链接,点击时会将您标记为会议的礼物。此链接是帮助程序中的方法:
def link_to_remote_registration(event_id)
down_image = "down_blanco.png"
up_image = "up_blanco.png"
unless registration.nil?
if registration.present == 1
up_image = "up_filled.png"
elsif registration.present == 0
down_image = "down_filled.png"
end
end
link_to_remote_registration = String.new
loading_and_complete = "Element.show('indicator_event_"+event_id.to_s+"'); Element.hide('vote_"+event_id.to_s+"')".html_safe
complete = "Element.hide('indicator_event_"+event_id.to_s+"'); Element.show('vote_"+event_id.to_s+"')".html_safe
link_to_remote_registration =
link_to(image_tag(up_image , :id => 'will_not_attend_event_'+ event_id.to_s , border => 0),
:url => new_registration_path(:present => 1, :event_id => event_id, :escape => false),
:remote => true,
:method => :put,
:loading => loading_and_complete,
:complete => complete)
return link_to_remote_registration
end
问题在于,当我在视图中渲染链接时,某些html会被转义,导致链接无效。
<a href="/calendar?complete=Element.hide%28%27indicator_event_1%27%29%3B+Element.show%28%27vote_1%27%29&loading=Element.show%28%27indicator_event_1%27%29%3B+Element.hide%28%27vote_1%27%29&method=put&remote=true&url=%2Fregistrations%2Fnew%3Fevent_id%3D1%26present%3D1">
<img id="will_not_attend_event_1" border="0" src="/images/up_blanco.png?1198181114" alt="Up_blanco">
</a>
我认为这不是一个有效的网址。我想知道为什么会发生这种情况 - 我在完整的加载字符串上调用html转义。
此致
答案 0 :(得分:8)
由于您是从帮助程序传递html,因此Rails会对其进行清理以防止XSS。您可以通过返回:
来覆盖它 link_to_remote_registration.html_safe
http://railscasts.com/episodes/204-xss-protection-in-rails-3
答案 1 :(得分:0)
您也可以使用raw()而不是在系统范围内禁用XSS。
raw(image_tag(up_image , :id => 'will_not_attend_event_'+ event_id.to_s , border => 0))