xss 过滤memo content中的标签

2014-06-17 11:41:00 +08:00 · 2014-06-17 11:41:00 +08:00 · 2f724aa23e
parent f9a17241da
commit 2f724aa23e
1 changed files with 2 additions and 1 deletions
--- a/app/views/memos/show.html.erb
+++ b/app/views/memos/show.html.erb
@ -48,13 +48,14 @@

 		<div class="memo-title <%= @memo.sticky ? 'sticky' : '' %> <%= @memo.locked? ? 'locked' : '' %>"><%= label_tag l(:field_subject) %>: <%=h @memo.subject %></div>
 		<div class="memo-content">
-			<%= raw @memo.content %>
+		<%=h sanitize(@memo.content.html_safe) %>
 			<p>							
 				<% if @memo.attachments.any?%>
 				<% options = {:author => true, :deletable => @memo.deleted_attach_able_by?(User.current) } %>
 				<%= render :partial => 'attachments/links', :locals => {:attachments => @memo.attachments, :options => options} %>
 				<% end %>
 			</p>
+			<div class="clearfix"></div>
 		</div>
 		<div class="memo-timestamp"> <%= authoring @memo.created_at, @memo.author.name %></div>