In a helper method I have this:
在辅助方法中我有这个:
content_for(:title, raw(page_title))
And in my view I have this after calling the helper method:
在我看来,我在调用辅助方法后得到了这个:
<%= h(content_for(:title)) %>
However when I do this, the h() does not HTML escape the content? I've also tried content_for(:title).html_safe and html_escape(content_for(:title)) with no success.
但是当我这样做时,h()没有HTML转义内容?我也尝试过content_for(:title).html_safe和html_escape(content_for(:title))但没有成功。
I save the content as raw as I want to access the raw (unescaped) content in a separate view. I'm on Rails 3.0.17.
我将内容保存为原始内容,因为我想在单独的视图中访问原始(未转义的)内容。我在Rails 3.0.17上。
1 个解决方案
#1
1
After some investigation, here's my conclusions: It's all about html_safe.
经过一番调查,这是我的结论:这都是关于html_safe的。
Let me explain with some code:
让我解释一些代码:
page_title.html_safe? #false
raw(page_title).html_safe? #true - that's all that raw does
content_for(:title, raw(page_title)) #associates :title with page_title, where page_title.html_safe? returns true
Now when the view calls the helper method here's what happens:
现在,当视图调用helper方法时,会发生以下情况:
content_for(:title) #no escaping. Since page_title was stored and html_safe is true, conetnt_for will not escape
h(content_for(:title)) #no escaping. Since the last line returned a string where html_safe? returns true, this will also not escape.
<%= h(content_for(:title)) %> #no escaping. Same reason as above
In short, raw simply sets the html_safe attribute on the string/SafeBuffer. Escaping is performed only on strings where string.html_safe? returns false. Since the string returns true at each opportunity for escaping, the string is never escaped.
简而言之,raw只是在字符串/ SafeBuffer上设置html_safe属性。转义仅在string.html_safe的字符串上执行?返回false。由于字符串在每次转义时都返回true,因此永远不会转义该字符串。
Resolution:
解析度:
Create a new string through interpolation or concatenation - this will set html_safe to false again and the string will be escaped.
通过插值或连接创建一个新字符串 - 这将再次将html_safe设置为false,并且字符串将被转义。
For more, check out this guide on SafeBuffers and read the docs.
有关更多信息,请查看有关SafeBuffers的本指南并阅读文档。
#1
1
After some investigation, here's my conclusions: It's all about html_safe.
经过一番调查,这是我的结论:这都是关于html_safe的。
Let me explain with some code:
让我解释一些代码:
page_title.html_safe? #false
raw(page_title).html_safe? #true - that's all that raw does
content_for(:title, raw(page_title)) #associates :title with page_title, where page_title.html_safe? returns true
Now when the view calls the helper method here's what happens:
现在,当视图调用helper方法时,会发生以下情况:
content_for(:title) #no escaping. Since page_title was stored and html_safe is true, conetnt_for will not escape
h(content_for(:title)) #no escaping. Since the last line returned a string where html_safe? returns true, this will also not escape.
<%= h(content_for(:title)) %> #no escaping. Same reason as above
In short, raw simply sets the html_safe attribute on the string/SafeBuffer. Escaping is performed only on strings where string.html_safe? returns false. Since the string returns true at each opportunity for escaping, the string is never escaped.
简而言之,raw只是在字符串/ SafeBuffer上设置html_safe属性。转义仅在string.html_safe的字符串上执行?返回false。由于字符串在每次转义时都返回true,因此永远不会转义该字符串。
Resolution:
解析度:
Create a new string through interpolation or concatenation - this will set html_safe to false again and the string will be escaped.
通过插值或连接创建一个新字符串 - 这将再次将html_safe设置为false,并且字符串将被转义。
For more, check out this guide on SafeBuffers and read the docs.
有关更多信息,请查看有关SafeBuffers的本指南并阅读文档。