what about writing <%= h(@foo) %> in the view? I heard it's necessary
for every information out of the database, I just couldn't find any
information 'bout that?
That escapes the text, ie < becomes < and so on. If users are just
inputting raw text this prevents against them using characters which
have special significance whether malicious (users trying to insert
funny tags into the page) or not (users don't have to know about
writing & instead of &)
... and what about writing -%> ? What's that for? In which situation?
That's to do with suppressing the empty lines you would otherwise get
in the output for stuff like
<% if ... %>
<% end %>