mal*_*uri 83 ruby activerecord ruby-on-rails
有以下代码:
class Product < ActiveRecord::Base
validates :title, :description, :image_url, presence: true
validates :price, numericality: {greater_than_or_equal_to: 0.01}
validates :title, uniqueness: true
validates :image_url, allow_blank: true, format: {
with: %r{\.(gif|jpg|png)$}i,
message: 'URL must point to GIT/JPG/PNG pictures'
}
end
它有效,但是当我尝试使用"rake test"测试它时,我会收到这条消息:
rake aborted!
The provided regular expression is using multiline anchors (^ or $), which may present a security risk. Did you mean to use \A and \z, or forgot to add the :multiline => true option?
这是什么意思?我该如何解决?
old*_*god 154
^并且$是Line of Line和End of Line锚点.虽然\A和\z是永久开始字符串和结束串的锚.
看到不同:
string = "abcde\nzzzz"
# => "abcde\nzzzz"
/^abcde$/ === string
# => true
/\Aabcde\z/ === string
# => false
所以Rails的告诉你,"你确定你想使用^和$?难道你不希望使用\A和\z呢?"
有关轨道安全问题的更多内容会在此处生成此警告.
ole*_*ole 30
此警告会引发,因为您的验证规则容易被javascript注入.
在你的情况下\.(gif|jpg|png)$匹配到行尾.因此,您的规则将验证此值为pic.png\nalert(1);true:
"test.png\n<script>alert(1)</script>" === /\.(gif|jpg|png)$/i
# => true
"test.png\n<script>alert(1)</script>" === /\.(gif|jpg|png)\z/i
# => false
阅读以下内容:
| 归档时间: |
|
| 查看次数: |
29999 次 |
| 最近记录: |