我有一个rails4应用程序。如果我在表单中提交<script>alert('haha')</script>,则会显示警报,因此它不会转义js(尽管有<%= j render @post %>),因此我的应用程序不受XSS保护。
为什么会这样?我该怎么办?
控制器
def create
@post = current_user.posts.new(post_params)
@post_comment = PostComment.new
if @post.save
respond_to do |format|
format.html { redirect_to @post, notice: "Post saved!" }
format.js
end
else
.......
_form
<%= form_for @post, remote: true, method: :post, class: "post-create-form" do |f| %>
<div class="alert alert-danger" style="display:none">
<ul class="errors" style="display:none">
<%= render 'layouts/error_messages', object: f.object %>
</ul>
</div>
<div class="form-group">
<%= f.text_area :body, placeholder: "Share something useful..", class: "form-control post-create-body" %>
</div>
<div class="form-group">
<%= f.button "Share", class: "btn btn-primary btn-create-post", data: {disable_with: "<i class='fa fa-spinner fa-spin'></i> Saving..."} %>
</div>
create.js.erb
$("ul.errors").html("");
<% if @post.errors.any? %>
$('.alert-danger').show();
$('ul.errors').show();
<% @post.errors.full_messages.each do |message| %>
$("ul.errors").append($("<li />").html("<%= message.html_safe %>"));
<% end %>
<% else %>
$('ul.errors').hide();
$('.alert-danger').hide();
$('.post-index').prepend('<%= j render @post %>');
$('.post-create-body').val('');
$('.btn-create-post').prop('disabled',true);
<% end %>