When is it possible to set as the value
of
project.name, what it the best way to escape the output of the
following?
Dennis Byrne
When is it possible to set as the value
of
project.name, what it the best way to escape the output of the
following?
Dennis Byrne
On 7/13/06, [email protected] [email protected] wrote:
<%=h project.name %>When is it possible to set as the value of
<%= project.name %>
project.name, what it the best way to escape the output of the following?
Hi Dennis,
Dennis_Byrne wrote:
When is it possible to set
as the value of project.name,
Not sure I understand this. Is it something you want to do? Or
something
you’re trying to protect against?
what it the best way to escape the output of the following?
<%= project.name %>
<%=h project.name %> is the standard way of escaping output in Rails.
hth,
Bill
On Thursday, July 13, 2006, at 9:28 AM, wrote:
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails
like this…
<%= h project.name %>h() is a shortcut for html_escape, and should be used for any text
output in a view that could be malicious. I seem to recall support was
added to ERB a while back to make this the default behavior.
_Kevin
OK, just use h. Thanks to Kevin and Bill.
Dennis Byrne
Kevin O. [email protected]
Sent by: [email protected]
07/13/2006 09:42 AM
Please respond to
[email protected]
To
[email protected]
cc
Subject
Re: [Rails] script injection/cross-site scripting protection
On Thursday, July 13, 2006, at 9:28 AM, wrote:
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails
like this…
<%= h project.name %>h() is a shortcut for html_escape, and should be used for any text
output in a view that could be malicious. I seem to recall support was
added to ERB a while back to make this the default behavior.
_Kevin
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs