What does <% = h ...%> mean in Rails?

Question

What does <% = h ...%> mean in Rails?

I found the following syntax here :

 <%=h @person.first_name %>

What does h mean?

+6

ruby-on-rails ruby-on-rails-3 erb

Misha moroshko Dec 15 '10 at 10:21

source share

2 answers

h is an alias of the html_escape method in Rails.

If you do not avoid the text with h, then someone can write javascript there and it will be executed when you display the page.

So, if you are not sure that the data that you show is absolutely safe, run it through a filter that eludes characters from HTML tags.

+4

crazycrv Dec 15 '10 at 14:10

source share

idlefingers · Accepted Answer · 2010-12-15T10:24:40+0000

This is for escaping tag output to avoid cross-site scripting. In rails 3, it was changed to the default value for a string (so instead of talking about that string, you say it's a safe string).

http://api.rubyonrails.org/classes/ERB/Util.html#method-ch

What does <% = h ...%> mean in Rails?

More articles: