ERROR: undefined method `h’ for ERB::Util:Module
i get above error when i use
ERB::Util.h(content)
in my controller’s action.
can any one one tell me how to use this ‘h’ method within controller?
thanks,
Jigar G.
Jigar G. wrote:
ERROR: undefined method `h’ for ERB::Util:Module
i get above error when i use
ERB::Util.h(content)
in my controller’s action.
can any one one tell me how to use this ‘h’ method within controller?
thanks,
Jigar G.
http://jigar.org
<%= h content %>
_Kevin
Kevin O. wrote:
Jigar G. wrote:
ERROR: undefined method `h’ for ERB::Util:Module
i get above error when i use
ERB::Util.h(content)
in my controller’s action.
can any one one tell me how to use this ‘h’ method within controller?
thanks,
Jigar G.
http://jigar.org<%= h content %>
this i m aware of this,
i want to use it in controller’s action not view.
_Kevin
2006/1/22, Jigar G. [email protected]:
can any one one tell me how to use this ‘h’ method within controller?
The long answer is that you’re probably doing something wrong if you
want to escape output in the controller. The controller shouldn’t
handle rendering views itself, and part of rendering the views is
escaping output. So, as Kevin and Jules have said, you should just
pass the unescaped content to the view, and then you can safely escape
everything in the view, without worrying about escaping things
twice.
If you are creating HTML in the controller, that shouldn’t be there
either. If you move that into a view helper, you’ll have no problem
accessing html_escape.
But having said that, here is the answer to your question, I just hope
you won’t use it:
Using ERB::Util as a mixin:
class FishyController < ActionController::Base
include ERB::Util # this should look strange to you
def something_that_should_be_in_the_view
# you should be surprised to see
# anything about HTML in a controller
@html = "<li>#{html_escape("a is > b")}</li>"
end
end
Regards,
Douglas
Why would you want to use that in your controller? I assume that the
h()'ed content gets outputted via a view. You could call h() at that
point, couldn’t you?
Jules
I don’t think that would be a good idea. You cannot use capture() then.
…
<% @footer = capture do %>
<%= link_to ‘Edit’, :action => ‘edit’, :id => @post %>
<% end %>
And in your layout:
...
<%= @footer %>
...
Or is there a better way to do this?
Thanks in advance,
Jules
Douglas L. wrote:
2006/1/22, Jigar G. [email protected]:
can any one one tell me how to use this ‘h’ method within controller?
The long answer is that you’re probably doing something wrong if you
want to escape output in the controller. The controller shouldn’t
handle rendering views itself, and part of rendering the views is
escaping output. So, as Kevin and Jules have said, you should just
pass the unescaped content to the view, and then you can safely escape
everything in the view, without worrying about escaping things
twice.
You know, this has been bothering me a bit lately. If the point of
doing an html escape on the output is to prevent security problems,
wouldn’t it make sense for the default action on outputting data for it
to be html_escape’d?
Then one could use a different function to return the unescaped string
instead.
Sure it will cause all sorts of problems in some ways, but the overall
result would be that it would force the developer to explicitly return
unsafe content, so there would be litte to no chance of it leaking out
by accident.
I suppose that a third way would be for ERb to require either the ‘h’ or
‘u’ function for it to generate text output. If you don’t specify which
one you want, nothing would happen.
_Kevin
Jules J. wrote:
I don’t think that would be a good idea. You cannot use capture() then.
…
<% @footer = capture do %>
<%= link_to ‘Edit’, :action => ‘edit’, :id => @post %>
<% end %>And in your layout:
...<%= @footer %>...Or is there a better way to do this?
Thanks in advance,
Jules
Not really a problem. As I see it, you would want to have an ERb
function to allow unescaped text.
So your view would look like this…
<%= unsafe(@footer) %>
of
…
This way you also get the side benefit that when you read the code, you
instantly know if there is a potential security issue so you will pay
more attention to where @footer came from.
I will admit that I don’t understand ERb well enough to know what else
this approach would break.
it might also be possible to set up erb to use a format like this…
<%unsafe %>
And just have the standard <%= %> force an html escape by default.
_Kevin
Kevin O. wrote:
You know, this has been bothering me a bit lately. If the point of
doing an html escape on the output is to prevent security problems,
wouldn’t it make sense for the default action on outputting data for it
to be html_escape’d?
No, the point of doing html escape is to convert characters being sent
to an html output
stream into acceptable characters for that format. Characters such as
‘>’, ‘<’, ‘&’, etc.
are significant in html/xml, so if they are not intended to be used in
these capacities
they need to be escaped.
Actions are not solely in existence to produce output for html pages;
they can be used to
produce output for all sorts of resulting file types (yaml, email, pdf,
etc.) or might
simply need to pass their resulting data on to more code. Whether
certain characters in
that data need to be escaped or not is clearly dependent on the
destination medium.
b
2006/1/22, Kevin O. [email protected]:
You know, this has been bothering me a bit lately. If the point of
doing an html escape on the output is to prevent security problems,
wouldn’t it make sense for the default action on outputting data for it
to be html_escape’d?
Hmm, I think that it would just add confusion:
Example: <%= link_to :action => ‘something’ %>
That would then output escaped HTML, rather than a link.
Douglas