html_safe
Marks a string as trusted safe. It will be inserted into HTML with no additional escaping performed. It is your responsibility to ensure that the string contains no malicious content. This method is equivalent to the
raw
helper in views. It is recommended that you usesanitize
instead of this method. It should never be called on user input.raw
以下raw源码表明,该方法和html_safe同义,作用是不对输出的字符串进行转码
#裸奔~
raw @user.name
# => 'Jimmy <alert>Tables</alert>'
#File actionview/lib/action_view/helpers/output_safety_helper.rb, line 16
def raw(stringish)
stringish.to_s.html_safe
end
因此若使用这两个方法对用户输入的内容进行展示是有安全隐患的。如html_safe的方法注解推荐,应该使用sanitize,该方法使用白名单的方式,定义了一些默认的(可自行定义)标签和属性,在展现html内容时,减少了安全隐患。