rails3 xss escaping

Hi.

Is there a way to disable the default xss escaping of everything in
rails3?

What's the proper way of doing string concatenations like below with
rails3 if xss escaping can not be disabled:
"something #{link_to('something else') if value == true}"

Marcelo Barbudas wrote:

Hi.

Is there a way to disable the default xss escaping of everything in
rails3?

I don't know of a way to disable it entirely, that's sort of the point.
Safe by default.

When you want to bypass the escaping you can use to use the 'raw'
method:

<%= raw my_unsafe_string %>

Think of this as the opposite of the old 'h' method.

What's the proper way of doing string concatenations like below with
rails3 if xss escaping can not be disabled:
"something #{link_to('something else') if value == true}"

In helpers it's also possible to mark the string as html_safe:

"something #{link_to('something else') if value == true}".html_safe

Read this as, "I'm telling you that this is safe so don't escape it."