Hi.
Is there a way to disable the default xss escaping of everything in rails3?
What's the proper way of doing string concatenations like below with rails3 if xss escaping can not be disabled: "something #{link_to('something else') if value == true}"
Marcelo Barbudas wrote:
Hi.
Is there a way to disable the default xss escaping of everything in rails3?
I don't know of a way to disable it entirely, that's sort of the point. Safe by default.
When you want to bypass the escaping you can use to use the 'raw' method:
<%= raw my_unsafe_string %>
Think of this as the opposite of the old 'h' method.
What's the proper way of doing string concatenations like below with rails3 if xss escaping can not be disabled: "something #{link_to('something else') if value == true}"
In helpers it's also possible to mark the string as html_safe:
"something #{link_to('something else') if value == true}".html_safe
Read this as, "I'm telling you that this is safe so don't escape it."