Displaying 1 result from an estimated 1 matches for "unsafe_str".
Did you mean:
unsafe_set
2006 Jan 22
0
Escaping and Unescaping text in ERb
...scaped HTML, rather than a link.
>
> Douglas
Yes, that would be a problem using the current syntax.
The problem as I see it is that it is far too easy for someone to write
code like this...
<%= link_to :action=>''something'' %> # should output html
<%= object.unsafe_string %> #should not output html
The relies on the programmer getting it right, and if they screw up,
they leave a gaping security hole. I''ve also seen many people asking
what ''h'' means, which makes me concerned that it''s missing from quite a
few places wher...