Script injection/cross-site scripting protection

When is it possible to set as the value
of
project.name, what it the best way to escape the output of the
following?

<%= project.name %>

Dennis Byrne

On 7/13/06, [email protected] [email protected] wrote:

When is it possible to set as the value of
project.name, what it the best way to escape the output of the following?

<%= project.name %>
<%=h project.name %>

Hi Dennis,

Dennis_Byrne wrote:

When is it possible to set
as the value of project.name,

Not sure I understand this. Is it something you want to do? Or
something
you’re trying to protect against?

what it the best way to escape the output of the following?

<%= project.name %>

<%=h project.name %> is the standard way of escaping output in Rails.

hth,
Bill

On Thursday, July 13, 2006, at 9:28 AM, wrote:

[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

like this…

<%= h project.name %>

h() is a shortcut for html_escape, and should be used for any text
output in a view that could be malicious. I seem to recall support was
added to ERB a while back to make this the default behavior.

_Kevin

OK, just use h. Thanks to Kevin and Bill.

Dennis Byrne

Kevin O. [email protected]
Sent by: [email protected]
07/13/2006 09:42 AM
Please respond to
[email protected]

To
[email protected]
cc

Subject
Re: [Rails] script injection/cross-site scripting protection

On Thursday, July 13, 2006, at 9:28 AM, wrote:

[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

like this…

<%= h project.name %>

h() is a shortcut for html_escape, and should be used for any text
output in a view that could be malicious. I seem to recall support was
added to ERB a while back to make this the default behavior.

_Kevin