I want to diplay html content in the browser without escaping it.my code is as below.

我想在浏览器中显示html内容而不转义它。我的代码如下所示。

<% @mydata = "<p>paragraph</p><h1>Test</h1><script>alert('got your cookie')</script><h1>another test</h1>" %>

<%= sanitize @mydata  %>

here i can't use raw method because raw method will execute malicious javascript code and hence i am using rails sanitize method. but the problem is that rails sanitize method deleting <script>alert('got your cookie')</scipt> line and not showing it in the browser.

在这里我不能使用原始方法,因为原始方法将执行恶意javascript代码,因此我使用rails sanitize方法。但问题是rails清理方法删除

I am getting output as below

我得到如下输出

paragraph

Test

another test

My expected output is as below

我的预期产量如下

paragraph

Test

another test

is there any way to unescape html content and escape only javascript content from the user input?

是否有任何方法来unescape html内容并从用户输入中仅转义javascript内容?

Thanks,

1 个解决方案

<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>

require 'cgi'
CGI.escapeHTML('<h1>hi</h1><script>aeuoau</script>')
# => "&lt;h1&gt;hi&lt;/h1&gt;&lt;script&gt;aeuoau&lt;/script&gt;"

raw(simple_format('<h1>hi</h1><script>aeuoau</script>'))
# => "<p><h1>hi</h1>aeuoau</p>"