Forum: Ruby on Rails html safe and <%=h

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Suman G. (Guest)
on 2009-04-24 18:05
(Received via mailing list)
Hi all,

This is kinda a noob question. Can someone please explain what html
safe mean, and what the function h in rails do and what are the best
times to use it. Even links will be helpful but i am doubtful if any
good explanations exists because i did a little search on couldn't get
more info.

I know that <%=h tries to make the whatever we are writing to the web
page as html safe by stripping out all the html tags. Does this
include all the <script> tags also??

thanks in advance.

suman
Marnen L. (Guest)
on 2009-04-24 21:01
(Received via mailing list)
On Apr 24, 10:05 am, Suman G. <removed_email_address@domain.invalid> wrote:
[...]
> I know that <%=h tries to make the whatever we are writing to the web
> page as html safe by stripping out all the html tags. Does this
> include all the <script> tags also??

Well, <script> is an HTML tag, isn't it?

Anyway, it's not quite true that h removes HTML tags.  Rather, what it
does is escape characters that have a special meaning in HTML, so that
"<tag>" will become "&lt;tag&gt;".
>
> thanks in advance.
>
> suman

Best,
--
Marnen Laibow-Koser
http://www.marnen.org
removed_email_address@domain.invalid
codeinnova (Guest)
on 2009-04-24 22:18
(Received via mailing list)
Alright. And that is how the XSS attack is prevented.

Suman
This topic is locked and can not be replied to.