回复xss

app/helpers/application_helper.rb

@@ -15,6 +15,17 @@ module ApplicationHelper
     EduSetting.get(name)
   end
 
+  # xss共计问题
+  def content_safe content
+    tags = %w(
+        a abbr b bdo blockquote br caption cite code col colgroup dd del dfn dl
+        dt em figcaption figure h1 h2 h3 h4 h5 h6 hgroup i img ins kbd li mark
+        ol p pre q rp rt ruby s samp small strike strong sub sup table tbody td
+        tfoot th thead time tr u ul var wbr div span
+        )
+    sanitize content, tags: tags
+  end
+
   def graduation_navigation graduation
     graduation.class.to_s == "GraduationTopic" ? "毕设选题" : "毕设任务"
   end

app/views/memos/_memo.json.jbuilder

@@ -3,7 +3,7 @@ json.memo do
   json.forum_id memo.forum_id
   json.subject memo.subject
   json.is_md memo.is_md
-  json.content memo.content
+  json.content content_safe(memo.content)
   json.sticky memo.sticky
   json.reward memo.reward
   json.viewed_count memo.viewed_count

app/views/memos/_replies_list.json.jbuilder

@@ -15,7 +15,7 @@ json.admin @user.admin? || @user.business?
 json.children do
   json.array! memo.children_of_reply do |child|
     json.id child.id
-    json.content child.content
+    json.content content_safe(child.content)
     json.time time_from_now(child.created_at)
     json.image_url url_to_avatar(child.author)
     json.username child.author.full_name