<%=h...%>

Frederick_Cheung · July 21, 2010, 7:10am

In the "Head First Rails" book, it mentions that "h" in <%=h...%> is a helper method.

Can someone describe what that means? And, when should I use <%=h...%>? Is it when I want the result to be displayed on my view for example?

h is short for html_escape. You're probably end up using it nearly every time you display user entered data (or you may be at the risk of xss attacks). From rails 2.3.8 there's a different way of handling this - strings have a notion of whether they are safe or not

Fred

11155 · July 21, 2010, 8:37am

Frederick Cheung wrote:

Frederick_Cheung · July 21, 2010, 8:56am

Fred, can you just clarify?

- html_escape

http://api.rubyonrails.org/classes/ERB/Util.html#M000138

- XSS attacks

that's a huge topic - http://lmgtfy.com/?q=XSS+attacks

Fred

11155 · July 21, 2010, 9:02am

Frederick Cheung wrote:

Topic		Replies	Views
<%=h...%> rubyonrails-talk	0	92	July 21, 2010
html safe and <%=h rubyonrails-talk	2	120	April 24, 2009
Securing the views rubyonrails-talk	3	111	November 10, 2008
what is the h for in <td><%=h s.name %></td>? rubyonrails-talk	2	115	April 14, 2011
html_escape method rubyonrails-talk	0	88	August 13, 2007

<%=h...%>

Related topics

More Resources