I have a text field that takes Title of the post. But a colleague has
tried to insert in javascript code with tag. how do I display
this as-it-is and not let is execute?
Thanks
I have a text field that takes Title of the post. But a colleague has
tried to insert in javascript code with tag. how do I display
this as-it-is and not let is execute?
Thanks
you could escape the content via <h;
or
you could use the ‘h’ or ‘sanatize’ methods in the template. << should
be automatic almost all of the time
h(str):
escapes all html
sanitize(str):
escapes script tags, form tags and javascript attributes (ie.
onclick=“alert(‘hi’)”
however as of rails 2.0 (maybe 1.2.4 even) sanitize can take parameters
to specify unique filter options.
Keynan P. wrote:
you could escape the content via <h;
or
you could use the ‘h’ or ‘sanatize’ methods in the template. << should
be automatic almost all of the time
could you please write some syntax?
thanks
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs