Rails - wrap an HTML element around link_to () text in ruby code without turning off all screens

Question

Rails - wrap an HTML element around link_to () text in ruby code without turning off all screens

It's pretty simple, but I have not been able to find anything in the Rails documentation. There is a helper presentation method (Ruby code, not HAML code) that returns

link_to(user_controlled_text, destination, options)

and I need to wrap the HTML element (namely <bdi>) around user_controlled_text. If i do

link_to("<bdi>#{user_controlled_text}</bdi>", ...)

then my element is considered as part of the user-driven text to be escaped. Fair. How can I tell Rails not to avoid <bdi>and </bdi>, but still to avoid user_controlled_text?

+4

ruby-on-rails ruby-on-rails-5 xss

zwol Feb 27 '18 at 18:56

source share

3 answers

Give it a try link_to("<bdi>#{h user_controlled_text}</bdi>".html_safe, ...).

h , ERB::Util::h.

+2

Phlip 27 . '18 19:04

I agreed with the first two answers. You can also use the block if the purpose of your link is difficult to enter in the name parameter. I used as below

<%= link_to(destination) do %>
    <bdi>
        <%= user_controlled_text %>
    </bdi>
<% end %>

But I know that this is not valid HTML, for example, using a div inside a tag a href.

Here is the full link

0

fool-dev Feb 28 '18 at 3:54

source share

max · Accepted Answer · 2018-02-27T19:42:47+0000

Use content_tag:

link_to(content_tag(:bdi, user_controlled_text), destination)

# or with a block
link_to(destination) do
  content_tag(:bdi, user_controlled_text)
end

Rails - wrap an HTML element around link_to () text in ruby ​​code without turning off all screens

More articles:

Rails - wrap an HTML element around link_to () text in ruby code without turning off all screens