html safe and <%=h

Suman_Gurung · April 24, 2009, 2:05pm

Hi all,

This is kinda a noob question. Can someone please explain what html safe mean, and what the function h in rails do and what are the best times to use it. Even links will be helpful but i am doubtful if any good explanations exists because i did a little search on couldn't get more info.

I know that <%=h tries to make the whatever we are writing to the web page as html safe by stripping out all the html tags. Does this include all the <script> tags also??

thanks in advance.

suman

Marnen_Laibow-Koser · April 24, 2009, 5:00pm

[...]

I know that <%=h tries to make the whatever we are writing to the web page as html safe by stripping out all the html tags. Does this include all the <script> tags also??

Well, <script> is an HTML tag, isn't it?

Anyway, it's not quite true that h removes HTML tags. Rather, what it does is escape characters that have a special meaning in HTML, so that "<tag>" will become "<tag>".

thanks in advance.

suman

Best,

Suman_Gurung · April 24, 2009, 6:17pm

Alright. And that is how the XSS attack is prevented.

Suman

Topic		Replies	Views
<%=h...%> rubyonrails-talk	3	117	July 21, 2010
Securing the views rubyonrails-talk	3	111	November 10, 2008
what is the h for in <td><%=h s.name %></td>? rubyonrails-talk	2	115	April 14, 2011
Sanitizing HTML in a model? rubyonrails-talk	0	96	October 15, 2007
Rails 3 and html_safe rubyonrails-talk	4	163	May 17, 2010

html safe and <%=h

Related topics

More Resources