<%=h...%>

In the "Head First Rails" book, it mentions that "h" in <%=h...%> is a helper method.

Can someone describe what that means? And, when should I use <%=h...%>? Is it when I want the result to be displayed on my view for example?

h is short for html_escape. You're probably end up using it nearly every time you display user entered data (or you may be at the risk of xss attacks). From rails 2.3.8 there's a different way of handling this - strings have a notion of whether they are safe or not

Fred

Frederick Cheung wrote:

Fred, can you just clarify?

- html_escape

http://api.rubyonrails.org/classes/ERB/Util.html#M000138

- XSS attacks

that's a huge topic - http://lmgtfy.com/?q=XSS+attacks

Fred

Frederick Cheung wrote: