When is it possible to set as the value
of
project.name, what it the best way to escape the output of the
following?
Dennis Byrne
On 7/13/06, [email protected] [email protected] wrote:
<%=h project.name %>When is it possible to set as the value of
<%= project.name %>
project.name, what it the best way to escape the output of the following?
Hi Dennis,
Dennis_Byrne wrote:
When is it possible to set
as the value of project.name,
Not sure I understand this. Is it something you want to do? Or
something
you’re trying to protect against?
what it the best way to escape the output of the following?
<%= project.name %>
<%=h project.name %> is the standard way of escaping output in Rails.
hth,
Bill
On Thursday, July 13, 2006, at 9:28 AM, wrote:
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails
like this…
<%= h project.name %>h() is a shortcut for html_escape, and should be used for any text
output in a view that could be malicious. I seem to recall support was
added to ERB a while back to make this the default behavior.
_Kevin
OK, just use h. Thanks to Kevin and Bill.
Dennis Byrne
Kevin O. [email protected]
Sent by: [email protected]
07/13/2006 09:42 AM
Please respond to
[email protected]
To
[email protected]
cc
Subject
Re: [Rails] script injection/cross-site scripting protection
On Thursday, July 13, 2006, at 9:28 AM, wrote:
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails
like this…
<%= h project.name %>h() is a shortcut for html_escape, and should be used for any text
output in a view that could be malicious. I seem to recall support was
added to ERB a while back to make this the default behavior.
_Kevin