so h() is an alias for html_escape() and they convert the following 4
characters
< > & "
into
< > & "
the single quote is not converted…
I just wonder sometimes we happen to write code such as
and it can cause an cross-site scripting (XSS) attack?
we usually use double quote but sometimes we use single quote like
somebody can write
puts “”
(sorry i have used PHP for quite some time and so by Ruby is rusty…)
This is a Rails question. Please ask Rails questions in a Rails forum,
not on the Ruby mailing list.
SpringFlowers AutumnMoon wrote:
the single quote is not converted…
I just wonder sometimes we happen to write code such as
Just don’t, it’s not correct HTML.
Hi,
At Sun, 28 Sep 2008 04:28:45 +0900,
SpringFlowers AutumnMoon wrote in [ruby-talk:316193]:
the single quote is not converted…
I guess that is because the character entity reference of
single quote isn’t defined in HTML.
we usually use double quote but sometimes we use single quote like
somebody can writeputs “”
You can use other delimiters than double quote and single quote.
puts %[]
or heredoc.
puts <<HIDDEN
HIDDEN
Heredocs include the last newline, but no differences to use
with #puts.
Andreas S. wrote:
Just don’t, it’s not correct HTML.
really – i thought HTML 4.01 allows using either double or single
quote?
On Sep 27, 10:19 pm, SpringFlowers AutumnMoon <rails-mailing-
[email protected]> wrote:
Andreas S. wrote:
Just don’t, it’s not correct HTML.
really – i thought HTML 4.01 allows using either double or single
quote?
perhaps, but if h() doesn’t escape single quotes then you’d want to
avoid using single quotes as the attribute value delimiter.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs