SpringFlowers AutumnMoon
2008-Sep-28 02:19 UTC
Re: h() or html_escape() not escape the single quote... risk
Andreas S. wrote:>> <input type=''hidden'' value=''<%= h(user_comment %>''> > > Just don''t, it''s not correct HTML.really -- i thought HTML 4.01 allows using either double or single quote? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
jemminger
2008-Sep-30 02:50 UTC
Re: h() or html_escape() not escape the single quote... risk
On Sep 27, 10:19 pm, SpringFlowers AutumnMoon <rails-mailing- l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Andreas S. wrote: > >> <input type=''hidden'' value=''<%= h(user_comment %>''> > > > Just don''t, it''s not correct HTML. > > really -- i thought HTML 4.01 allows using either double or single > quote? >perhaps, but if h() doesn''t escape single quotes then you''d want to avoid using single quotes as the attribute value delimiter. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---