you could escape the content via <h;
or
you could use the 'h' or 'sanatize' methods in the template. << should be automatic almost all of the time
h(str):
escapes all html
sanitize(str):
escapes script tags, form tags and javascript attributes (ie. onclick="alert('hi')"
however as of rails 2.0 (maybe 1.2.4 even) sanitize can take parameters to specify unique filter options.
Keynan Pratt wrote:
you could escape the content via <h;
or
you could use the 'h' or 'sanatize' methods in the template. << should be automatic almost all of the time
could you please write some syntax? thanks
