Forum: Ruby on Rails Securing the views

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
505db8e9da687ac983e3caf44d86aff2?d=identicon&s=25 Mario Peterscheck (panatura)
on 2008-11-10 23:12
Hi,

what about writing <%= h(@foo) %> in the view? I heard it's necessary
for every information out of the database, I just couldn't find any
information 'bout that?

... and what about writing -%> ? What's that for? In which situation?


Greetings
Mario
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2008-11-10 23:51
(Received via mailing list)
On 10 Nov 2008, at 22:12, Mario Peterscheck wrote:

>
> Hi,
>
> what about writing <%= h(@foo) %> in the view? I heard it's necessary
> for every information out of the database, I just couldn't find any
> information 'bout that?
>
That escapes the text, ie  < becomes &lt and so on. If users are just
inputting raw text this prevents against them using characters which
have special significance whether malicious (users trying to insert
funny tags into the page) or not (users don't have to know about
writing &amp; instead of &)

> ... and what about writing -%> ? What's that for? In which situation?
>
That's to do with suppressing the empty lines you would otherwise get
in the output for stuff like
<% if ... %>
  ...
<% end %>
059ed46172a087063ce26250e44c8627?d=identicon&s=25 Fernando Perez (fernando)
on 2008-11-11 00:02
>>
>> what about writing <%= h(@foo) %> in the view? I heard it's necessary
>> for every information out of the database, I just couldn't find any
>> information 'bout that?
>>
You can also use <%= sanitize @foo %> that will allow only a few
unhamrful html tags that you choose.
505db8e9da687ac983e3caf44d86aff2?d=identicon&s=25 Mario Peterscheck (panatura)
on 2008-11-11 00:06
Thanks guys, quick and essential. Having some work now changing some
code ;)
This topic is locked and can not be replied to.