Hi all, This is kinda a noob question. Can someone please explain what html safe mean, and what the function h in rails do and what are the best times to use it. Even links will be helpful but i am doubtful if any good explanations exists because i did a little search on couldn''t get more info. I know that <%=h tries to make the whatever we are writing to the web page as html safe by stripping out all the html tags. Does this include all the <script> tags also?? thanks in advance. suman
On Apr 24, 10:05 am, Suman Gurung <sumangur...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: [...]> I know that <%=h tries to make the whatever we are writing to the web > page as html safe by stripping out all the html tags. Does this > include all the <script> tags also??Well, <script> is an HTML tag, isn''t it? Anyway, it''s not quite true that h removes HTML tags. Rather, what it does is escape characters that have a special meaning in HTML, so that "<tag>" will become "<tag>".> > thanks in advance. > > sumanBest, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org
Alright. And that is how the XSS attack is prevented. Suman On Apr 24, 1:00 pm, Marnen Laibow-Koser <mar...-sbuyVjPbboAdnm+yROfE0A@public.gmane.org> wrote:> On Apr 24, 10:05 am, Suman Gurung <sumangur...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > [...] > > > I know that <%=h tries to make the whatever we are writing to the web > > page as html safe by stripping out all the html tags. Does this > > include all the <script> tags also?? > > Well, <script> is an HTML tag, isn''t it? > > Anyway, it''s not quite true that h removes HTML tags. Rather, what it > does is escape characters that have a special meaning in HTML, so that > "<tag>" will become "<tag>". > > > > > thanks in advance. > > > suman > > Best, > -- > Marnen Laibow-Koserhttp://www.marnen.org > mar...-sbuyVjPbboAdnm+yROfE0A@public.gmane.org