Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What does <%=h ... %> means in Rails?

I found here the following syntax:

<%=h @person.first_name %>

What does the h means ?

like image 546
Misha Moroshko Avatar asked Dec 15 '10 10:12

Misha Moroshko


2 Answers

It's for escaping the output of the tag to avoid cross-site-scripting. In rails 3, it's been changed to the default for a string (so rather than saying escape this string, you say, this is a safe string).

http://api.rubyonrails.org/classes/ERB/Util.html#method-c-h

like image 83
idlefingers Avatar answered Sep 19 '22 23:09

idlefingers


h is alias for html_escape method in Rails.

If you do not escape the text using h , then someone can write javascript there and it will get executed when you render the page.

So if you're not sure the data you're displaying is absolutely safe, run it through a filter that escapes HTML tag characters.

like image 37
crazycrv Avatar answered Sep 20 '22 23:09

crazycrv