I have a text field that takes Title of the post. But a colleague has
tried to insert in javascript code with tag. how do I display
this as-it-is and not let is execute?
Thanks
you could escape the content via <h;
or
you could use the ‘h’ or ‘sanatize’ methods in the template. << should
be automatic almost all of the time
h(str):
escapes all html
sanitize(str):
escapes script tags, form tags and javascript attributes (ie.
onclick=“alert(‘hi’)”
however as of rails 2.0 (maybe 1.2.4 even) sanitize can take parameters
to specify unique filter options.
Keynan P. wrote:
you could escape the content via <h;
or
you could use the ‘h’ or ‘sanatize’ methods in the template. << should
be automatic almost all of the time
could you please write some syntax?
thanks