防止sql注入

5 years ago · 6dbc8cb172
parent 808edb593b
commit 6dbc8cb172
3 changed files with 3 additions and 2 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -12,6 +12,7 @@ module ApplicationHelper

  # xss共计问题
  def content_safe content
+    return nil if content.nil?
    tags = %w(
        a abbr b bdo blockquote br caption cite code col colgroup dd del dfn dl
        dt em figcaption figure h1 h2 h3 h4 h5 h6 hgroup i img ins kbd li mark
--- a/app/views/graduation_topics/_graduation_comments.json.jbuilder
+++ b/app/views/graduation_topics/_graduation_comments.json.jbuilder
@ -3,7 +3,7 @@ json.author do
 end

 json.id message.id
-json.content message.contents_show(identity)
+json.content content_safe(message.contents_show(identity))
 json.time time_from_now(message.created_at)
 json.hidden message.hidden
 # 主贴与子贴不一致
--- a/app/views/messages/_message_detail.json.jbuilder
+++ b/app/views/messages/_message_detail.json.jbuilder
@ -1,6 +1,6 @@
 json.partial! "messages/message_simple", message: message
 json.partial! "commons/like", message: message
-json.content message.message_detail.try(:content)
+json.content content_safe(message.message_detail.try(:content))
 json.author do
  json.partial! "users/user_simple", user: message.author
 end