Rails3 xss escaping

Hi.

Is there a way to disable the default xss escaping of everything in
rails3?

What’s the proper way of doing string concatenations like below with
rails3 if xss escaping can not be disabled:
“something #{link_to(‘something else’) if value == true}”


M.

Marcelo B. wrote:

Hi.

Is there a way to disable the default xss escaping of everything in
rails3?

I don’t know of a way to disable it entirely, that’s sort of the point.
Safe by default.

When you want to bypass the escaping you can use to use the ‘raw’
method:

<%= raw my_unsafe_string %>

Think of this as the opposite of the old ‘h’ method.

What’s the proper way of doing string concatenations like below with
rails3 if xss escaping can not be disabled:
“something #{link_to(‘something else’) if value == true}”

In helpers it’s also possible to mark the string as html_safe:

“something #{link_to(‘something else’) if value == true}”.html_safe

Read this as, “I’m telling you that this is safe so don’t escape it.”

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs