Ruby on Rails

answer this question

Ruby on Rails Question

What the heck does the "h" do when you have code nested in this "<%=h %>"?

It's driving me nuts, b/c I see code snippets using it and I cannot figure out why!
 papa posted over a year ago
next question »

Ruby on Rails Answers

cliff said:
The "h" is a built-in method in Rails that escapes out html code in text that you happen to be rendering.

One of the uses of the "h" is to prevent cross-site scripting (css or xss, depending on how extreme you're feeling) Javascript attacks on clients.

Some people think it's kind of stupid that escaping isn't automatically done at a <%= some_string %>, but there are counter-arguments, as well.
 select as best answer
posted over a year ago 
michael said:
Also, it should be noted that h (which is an alias for html_escape) only converts four characters:
& => &
" => "
> => <
< => >

it does not include single quote: ' which means it may be possible in some cases to perform XSS attacks while using this function. I recommend writing an escape function (or replacing html_escape with a function) that also converts:
' => '
 select as best answer
posted over a year ago 
honeyruby said:
hey it will print the information which present in that variable. <%=h%> here if "h" already has some value init or a string . this is how to print those information in ruby.
select as best answer
posted over a year ago 
next question »
Cookies help us bring you Fanpop. By using Fanpop, you agree to our use of cookies. Learn More Got It!