Escaping HTML and JavaScript for Display

2017-11-03 09:05:07

Problem

You want to display data that might contain HTML or JavaScript without making browsers render it as HTML or interpret the JavaScript. This is especially important when displaying data entered by users.

Solution

Pass a string of data into the h() helper function to escape its HTML entities. That is, instead of this:

<%= @data %>

Write this:

<%=h @data %>

The h() helper function converts the following characters into their HTML entity equivalents: ampersand (&), double quote ("), left angle bracket (<), and right angle bracket (>).

Discussion

You won find the definition for the h() helper function anywhere in the Rails source code, because its a shortcut for ERbs built-in helper function html_escape().

JavaScript is deployed within HTML tags like

`See Also`

Chapter 11

Related 2017-11-03 09:05:07 Web Development Ruby on Rails 2017-11-03 09:05:07 Passing Data from the Controller to the View 2017-11-03 09:05:07 Creating a Layout for Your Header and Footer 2017-11-03 09:05:07 Integrating a Database with Your Rails Application 2017-11-03 09:05:07 Escaping HTML and JavaScript for Display 2017-11-03 09:05:07 Setting and Retrieving Session Information 2017-11-03 09:05:07 Setting and Retrieving Cookies 2017-11-03 09:05:07 Refactoring the View into Partial Snippets of Views 2017-11-03 09:05:07 Adding DHTML Effects with script.aculo.us 2017-11-03 09:05:07 Generating Forms for Manipulating Model Objects 2017-11-03 09:05:07 Documenting Your Web Site 2017-11-03 09:05:07 Unit Testing Your Web Site Категории Search