Yesod Whamlet 渲染为 HTML 而未被转义
Yesod Whamlet render as HTML without being escaped
[whamlet|
<h2> Here's the ES results:
<h1>
<ul>
$forall EsHighlight high <- highlights re
<li>
<br>
#{toHtml high}
|]
高是这样的:
"large <em>bamboo</em>, and a crotched stick. Throwing these down, he poked under a pile of rubbish, and brought out a rough block of wood, pierced through and through with a hole, which was immediately clapped on the top of the jar. Then planting the crotched stick upright about two yards distant, and making it sustain one end of the <em>bamboo</em>, he inserted the other end of the latter into the hole in the block: concluding these arrangements by placing an old calabash under the farther end of the <em>bamboo</em>."
问题是 <em> 没有呈现为 html 但仍然是字符串。所以网页显示 <em> 本身。
我能做什么?
作为针对 XSS 攻击的保护措施,Hamlet(以及底层 blaze-html 库)的默认行为是通过 toHtml 函数转义所有 HTML 实体。如果你想避免转义,你可以使用 preEscapedToHtml。请注意,在用户提供的数据上使用此函数 非常危险。
[whamlet|
<h2> Here's the ES results:
<h1>
<ul>
$forall EsHighlight high <- highlights re
<li>
<br>
#{toHtml high}
|]
高是这样的:
"large <em>bamboo</em>, and a crotched stick. Throwing these down, he poked under a pile of rubbish, and brought out a rough block of wood, pierced through and through with a hole, which was immediately clapped on the top of the jar. Then planting the crotched stick upright about two yards distant, and making it sustain one end of the <em>bamboo</em>, he inserted the other end of the latter into the hole in the block: concluding these arrangements by placing an old calabash under the farther end of the <em>bamboo</em>."
问题是 <em> 没有呈现为 html 但仍然是字符串。所以网页显示 <em> 本身。
我能做什么?
作为针对 XSS 攻击的保护措施,Hamlet(以及底层 blaze-html 库)的默认行为是通过 toHtml 函数转义所有 HTML 实体。如果你想避免转义,你可以使用 preEscapedToHtml。请注意,在用户提供的数据上使用此函数 非常危险。