I found here the following syntax:
<%=h @person.first_name %>
What does the h
means ?
It's for escaping the output of the tag to avoid cross-site-scripting. In rails 3, it's been changed to the default for a string (so rather than saying escape this string, you say, this is a safe string).
http://api.rubyonrails.org/classes/ERB/Util.html#method-c-h
h is alias for html_escape method in Rails.
If you do not escape the text using h , then someone can write javascript there and it will get executed when you render the page.
So if you're not sure the data you're displaying is absolutely safe, run it through a filter that escapes HTML tag characters.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With