Escaping HTML and JavaScript for Display

2017-11-03 09:05:07

Problem

You want to display data that might contain HTML or JavaScript without making browsers render it as HTML or interpret the JavaScript. This is especially important when displaying data entered by users.

Solution

Pass a string of data into the h() helper function to escape its HTML entities. That is, instead of this:

<%= @data %>

Write this:

<%=h @data %>

The h() helper function converts the following characters into their HTML entity equivalents: ampersand (&), double quote ("), left angle bracket (<), and right angle bracket (>).

Discussion

You won find the definition for the h() helper function anywhere in the Rails source code, because its a shortcut for ERbs built-in helper function html_escape().

JavaScript is deployed within HTML tags like

`See Also`

Chapter 11

Related 2017-11-03 09:05:07 Web Development Ruby on Rails 2017-11-03 09:05:07 Writing a Simple Rails Application to Show System Status 2017-11-03 09:05:07 Creating a Layout for Your Header and Footer 2017-11-03 09:05:07 Redirecting to a Different Location 2017-11-03 09:05:07 Integrating a Database with Your Rails Application 2017-11-03 09:05:07 Storing Hashed User Passwords in the Database 2017-11-03 09:05:07 Setting and Retrieving Cookies 2017-11-03 09:05:07 Extracting Code into Helper Functions 2017-11-03 09:05:07 Refactoring the View into Partial Snippets of Views 2017-11-03 09:05:07 Adding DHTML Effects with script.aculo.us 2017-11-03 09:05:07 Documenting Your Web Site 2017-11-03 09:05:07 Using breakpoint in Your Web Application Категории Search