现在的项目使用了cell这个gem
https://github.com/trailblazer/cells
4.0以前
在4.0以前的时候使用的是rails的render,默认会进行html escape
比如下面的代码是没有问题的
@text = '<script>alert("hello")</script>'
<%= @text %>
4.0以后
目前打算升级到4.0
但是4.0以后,cell采用了其他的render方法,默认不进行html escape, 必须像下面这样传递escape过后的值
@text = '<script>alert("hello")</script>'
<%= h @text %>
http://trailblazer.to/gems/cells/cells4.html
Cells per default does not escape HTML. However, you may run into problems when using Rails helpers. Internally, those helpers often blindly escape. This is not Cells’ fault but a design flaw in Rails. Everything related to #capture will cause problems - check this as an example. As you can see, this is Rails swinging the escape hammer. Please don’t blame us for escapes where they shouldn’t be. Rather open an issue on Rails and tell them to make their code better overrideable for us.
但是每个字段自己写代码escape感觉很麻烦,而且万一忘记了,会出现安全问题
问题
目前把需要escape的都加了html_escape方法暂时对应了(估计有漏的地方)
没找到其他的好的方法,有遇到相同的问题的吗?