Marcelo Barbudas wrote:> Hi.
>
> Is there a way to disable the default xss escaping of everything in
> rails3?
I don''t know of a way to disable it entirely, that''s sort of
the point.
Safe by default.
When you want to bypass the escaping you can use to use the
''raw''
method:
<%= raw my_unsafe_string %>
Think of this as the opposite of the old ''h'' method.
> What''s the proper way of doing string concatenations like below
with
> rails3 if xss escaping can not be disabled:
> "something #{link_to(''something else'') if value ==
true}"
In helpers it''s also possible to mark the string as html_safe:
"something #{link_to(''something else'') if value ==
true}".html_safe
Read this as, "I''m telling you that this is safe so don''t
escape it."
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.