Hi,
what about writing <%= h(@foo) %> in the view? I heard it's necessary for every information out of the database, I just couldn't find any information 'bout that?
... and what about writing -%> ? What's that for? In which situation?
Greetings Mario
Hi,
what about writing <%= h(@foo) %> in the view? I heard it's necessary for every information out of the database, I just couldn't find any information 'bout that?
That escapes the text, ie < becomes < and so on. If users are just
inputting raw text this prevents against them using characters which
have special significance whether malicious (users trying to insert
funny tags into the page) or not (users don't have to know about
writing & instead of &)
... and what about writing -%> ? What's that for? In which situation?
That's to do with suppressing the empty lines you would otherwise get
in the output for stuff like
<% if ... %>
...
<% end %>
what about writing <%= h(@foo) %> in the view? I heard it's necessary for every information out of the database, I just couldn't find any information 'bout that?
You can also use <%= sanitize @foo %> that will allow only a few unhamrful html tags that you choose.
Thanks guys, quick and essential. Having some work now changing some
code 
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks