Forum: Ruby on Rails html safe and <%=h

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
1acb27fb6f6e7322ef834fb2ab299b16?d=identicon&s=25 Suman Gurung (Guest)
on 2009-04-24 16:05
(Received via mailing list)
Hi all,

This is kinda a noob question. Can someone please explain what html
safe mean, and what the function h in rails do and what are the best
times to use it. Even links will be helpful but i am doubtful if any
good explanations exists because i did a little search on couldn't get
more info.

I know that <%=h tries to make the whatever we are writing to the web
page as html safe by stripping out all the html tags. Does this
include all the <script> tags also??

thanks in advance.

suman
Dd2d775dea75b381edb1bbf0600a0907?d=identicon&s=25 Marnen Laibow-Koser (marnen)
on 2009-04-24 19:01
(Received via mailing list)
On Apr 24, 10:05 am, Suman Gurung <sumangur...@gmail.com> wrote:
[...]
> I know that <%=h tries to make the whatever we are writing to the web
> page as html safe by stripping out all the html tags. Does this
> include all the <script> tags also??

Well, <script> is an HTML tag, isn't it?

Anyway, it's not quite true that h removes HTML tags.  Rather, what it
does is escape characters that have a special meaning in HTML, so that
"<tag>" will become "&lt;tag&gt;".
>
> thanks in advance.
>
> suman

Best,
--
Marnen Laibow-Koser
http://www.marnen.org
marnen@marnen.org
1acb27fb6f6e7322ef834fb2ab299b16?d=identicon&s=25 codeinnova (Guest)
on 2009-04-24 20:18
(Received via mailing list)
Alright. And that is how the XSS attack is prevented.

Suman
This topic is locked and can not be replied to.