Rails 4, link in flash message is not parsed as HT

2019-01-25 18:19发布

站内问答 / 移动开发
1378 2 6

In controller I have the following flash message:

flash[:notice] = %Q[Please #{view_context.link_to('create a new account', new_account_path)}, after that you will be able to create orders.].html_safe

Here is flash area in layout:

<div id="main_flash_area">
<% flash.each do |name, msg| %>
    <div class="alert text-center alert-info">
      <a class="close" data-dismiss="alert">&times; Закрыть</a>
      <%= msg %>
    </div>
<% end %>
</div>

It kinda renders into a link, but browser doesn't parse it as a link though. It is displayed as

Please <a href="/accounts/new">create a new account</a>, after that you will be able to create orders.

The generated HTML:

<div id="main_flash_area">
    <div class="alert text-center alert-info">
      <a class="close" data-dismiss="alert">× Закрыть</a>
      Please &lt;a href="/accounts/new"&gt;create a new account&lt;/a&gt;, after that you will be able to create orders.
    </div>
</div>

How do I make it a proper link? I guess it escapes < a> tag at some point.

2条回答
Viruses.
2楼-- · 2019-01-25 18:27

You need to sanitise your flash msg in the view.

<%= sanitize(msg) %>

This will render the link in the view rather than escaping the html.

Be aware that this will apply to all flash messages in your app. If you display any user input in the flash message you will have to remember to escape it before displaying it as Rails auto escaping will not apply.

Note the sanitize helper is less permissive that the raw helper and it can be configured. It works with links automatically, It removes script tags by default providing some protection if you have user content in your flash but you will need to do a full check to ensure you do not introduce any security issues. Check the Rails docs for more info.

查看更多
0人赞 添加讨论(0) 举报
相关推荐>>
3楼-- · 2019-01-25 18:44

thanks a lot for your solution nmott.

Here's a little bit more context for future readers, including your solution, as I couldn't understand how to use it.

in views/layout/application.html.erb , notice the sanitize(msg) in order to render html.

<body>
   <%= render 'layouts/header' %>
  <div class="container">
  <% flash.each do |name, msg| %>
  <%= content_tag(:div, sanitize(msg), class: "alert alert-info") %>
<% end %>
<%= yield %>
</div>
</body>

To make it work for an update, in controllers/your_model_controller.rb :

def update
    respond_to do |format|
      if @review.update(review_params)
        format.html { redirect_to @item, notice: "Review was successfully updated. #{view_context.link_to("review", item_review_path(@review.item, @review))}" }
        format.json { render :show, status: :ok, location: @item }
      else
        format.html { render :edit }
        format.json { render json: @item.errors, status: :unprocessable_entity }
      end
    end
  end
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)