Rails的sanitize()在rspec和模型中执行方式不同的原因是什么?

huangapple go评论67阅读模式
英文:

Why does Rails sanitize() perform differently in rspec than in a model?

问题

在我的config/initializers中,我在String类中添加了以下内容:

class String
  def sanitize(options={ tags: %w(div p span strong b em i br ol ul li) })
    ActionController::Base.helpers.sanitize(self, options)
  end
end

在我的本地开发站点上,这会将所有不允许的标签转换为编码的 HTML,所以

"<span><img src=\"nonexistent.png\" onerror=\"alert('This alert should not be shown');\"></span><p>Build something</p>"

会变成

"<span><img src=\"nonexistent.png\" onerror=\"alert('This alert should not be shown');\"/></span><p>Build something</p> "

但是在RSpec中,在同一个字符串上调用相同的方法会导致:

"<span></span><p>Build something</p>"

它不再编码图像标签;它只是完全删除标签。在模型规范中发生这种不同行为的原因是什么?

英文:

In my config/initializers I added the following to the String class:

class String
  def sanitize(options={ tags: %w(div p span strong b em i br ol ul li) })
    ActionController::Base.helpers.sanitize(self, options)
  end
end

On my local development site, this converts all disallowed tags to encoded html, so

"<span><img src=\"nonexistent.png\" onerror=\"alert('This alert should not be shown');\"></span><p>Build something</p>"

becomes

"<span><img src=\"nonexistent.png\" onerror=\"alert('This alert should not be shown');\"/></span><p>Build something</p> "

But in rspec, calling the same method on the same string results in:

"<span></span><p>Build something</p>"

It is not encoding the image tag anymore; it is just stripping the tag out altogether. What is the cause of this different behavior in a model spec than in a model?

答案1

得分: 2

以下是翻译好的内容:

难以确定。容易找出。大多数情况下:不要这样做。

难以确定:
是其他东西在干扰您的清理方法,还是您在干扰别人的?

容易找出:
编写一个测试。在调用清理方法之前设置断点。逐步执行并继续执行。您很可能很快就会看到发生了什么。

不要这样做:

  1. 其他东西要么添加了该方法,要么您可以从其他地方调用清理方法。我不确定对您来说什么是正确的解决方案,但是可能一个控制器或助手方法 sanitize(string, options) 比您所做的更好。毕竟,这就是您在调用的内容。
  2. 如果必须添加一个方法,请不要打开类并像您所做的那样破坏它:
module StringSanitizer
  def sanitize(...)
    super # 如果适用-查看它是否已经存在于类中,或者是否已经有其他东西添加了它
    ActionController::Base.helpers.sanitize(self, options)
  end
end
String.prepend(StringSanitizer)
英文:

Hard to know. Easy to find out. Mostly: don't do that.

Hard to know:
Something else is clobbering your sanitize method or you're clobbering someone else's?

Easy to find out:
Write a test. Set a breakpoint before calling sanitize. Step into it and keep stepping. You'll probably see what's going on pretty quickly.

Don't do that:

  1. Other things either add that method or you can call sanitize from something else. I'm not sure what the right solution is for you, but probably a controller or helper method sanitize(string, options) is better than doing what you've done. After all, that's what you're calling.
  2. If you have to add a method, don't open the class and clobber like you've done:
module StringSanitizer
  def sanitize(...)
    super # if appropriate - see if it already exists in the class or if something else has already added it
    ActionController::Base.helpers.sanitize(self, options)
  end
end
String.prepend(StringSanitizer)

答案2

得分: 0

这是我根据 @kwerle 的建议制定的解决方案:

module Sanitizable
  extend ActiveSupport::Concern

  class_methods do
    def sanitizable(*attributes)
      before_save do |record|
        attributes.each do |attribute|
          record[attribute] = ActionController::Base.helpers.sanitize(record[attribute], tags: %w(p span strong b em i br ol ul li))
        end
      end
    end
  end
end

这可以在模型中使用:

include Sanitizable
sanitizable :subtitle, :description
英文:

Here's the solution I came with following @kwerle 's recommendations:

module Sanitizable
  extend ActiveSupport::Concern

  class_methods do
    def sanitizable(*attributes)
      before_save do |record|
        attributes.each do |attribute|
          record[attribute] = ActionController::Base.helpers.sanitize(record[attribute], tags: %w(p span strong b em i br ol ul li))
        end
      end
    end
  end
end

and this can be used in a model with:

include Sanitizable
sanitizable :subtitle, :description

</details>



huangapple
  • 本文由 发表于 2023年5月26日 09:05:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/76337053.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定