xss注入问题

5 years ago · 14fafdfa4a
parent 19cdfc1a12
commit 14fafdfa4a
4 changed files with 16 additions and 3 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -10,6 +10,19 @@ module ApplicationHelper

  ONE_YEAR = 12 * ONE_MONTH

+  # xss共计问题
+  def content_safe content
+    tags = %w(
+        a abbr b bdo blockquote br caption cite code col colgroup dd del dfn dl
+        dt em figcaption figure h1 h2 h3 h4 h5 h6 hgroup i img ins kbd li mark
+        ol p pre q rp rt ruby s samp small strike strong sub sup table tbody td
+        tfoot th thead time tr u ul var wbr div span
+        )
+    attributes = %w(href src width height alt cite datetime title class name xml:lang abbr style)
+    sanitize content, tags: tags, attributes: attributes
+  end
+
+
  # 全局参数配置
  def edu_setting name
    EduSetting.get(name)
--- a/app/views/discusses/_discuss.json.jbuilder
+++ b/app/views/discusses/_discuss.json.jbuilder
@ -2,7 +2,7 @@ json.author do
  json.partial! 'users/user', user: discuss.user
 end
 json.id discuss.id
-json.content discuss.content
+json.content content_safe(discuss.content)
 json.time time_from_now(discuss.created_at)
 json.position discuss.position
 json.shixun_id discuss.dis_id
--- a/app/views/memos/_memo.json.jbuilder
+++ b/app/views/memos/_memo.json.jbuilder
@ -3,7 +3,7 @@ json.memo do
  json.forum_id memo.forum_id
  json.subject memo.subject
  json.is_md memo.is_md
-  json.content memo.content
+  json.content content_safe(memo.content)
  json.sticky memo.sticky
  json.reward memo.reward
  json.viewed_count memo.viewed_count
--- a/app/views/memos/_replies_list.json.jbuilder
+++ b/app/views/memos/_replies_list.json.jbuilder
@ -1,5 +1,5 @@
 json.id memo.id
-json.content memo.content
+json.content content_safe(memo.content)
 json.time time_from_now(memo.created_at)
 json.user_id memo.author_id
 json.image_url url_to_avatar(memo.author)