how to tackle <script> tag?

11175 · January 18, 2008, 5:42am

you could escape the content via &lth;

or

you could use the 'h' or 'sanatize' methods in the template. << should be automatic almost all of the time

11175 · January 18, 2008, 5:45am

h(str):

escapes all html

sanitize(str):

escapes script tags, form tags and javascript attributes (ie. onclick="alert('hi')"

however as of rails 2.0 (maybe 1.2.4 even) sanitize can take parameters to specify unique filter options.

11175 · January 18, 2008, 5:45am

Keynan Pratt wrote:

you could escape the content via &lth;

or

you could use the 'h' or 'sanatize' methods in the template. << should be automatic almost all of the time

could you please write some syntax? thanks

Topic		Replies	Views
Sanitizing HTML in a model? rubyonrails-talk	0	90	October 15, 2007
Preventing Javascript but allowing HTML? rubyonrails-talk	1	117	March 22, 2008
How to stop ruby escaping javascript? rubyonrails-talk	4	149	November 15, 2012
what to use for sanitize? rubyonrails-talk	2	158	May 12, 2009
html safe and <%=h rubyonrails-talk	2	114	April 24, 2009

how to tackle <script> tag?

Related topics

More Resources