Women in Technology

Hear us Roar



Article:
  Rolling with Ruby on Rails, Part 2
Subject:   Escaping HTML
Date:   2005-03-05 14:24:38
From:   JustinForder
Thanks for a great article - the examples build one one another really well.
One point - as discussed in the security manual you reference, it is important to escape any content that the user has entered before displaying it. This is needed both to prevent page display being broken by user-entered HTML, and to prevent cross-site scripting attacks by user-entered script.
Fortunately this is easy to do: just use <%h= instead of <%= when displaying unsafe content.
Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • Escaping HTML
    2005-03-05 14:25:36  JustinForder [View]

    Er.. that should have been <%=h , not <%h= !