search for: sanitizehelper

Hello, First sentence of sanitize() method doc says: "This sanitize helper will html encode all tags and strip all attributes that aren''t specifically allowed." But sanitize("<h1>foo</h1> <bar>should html encode</bar>") == "<h1>foo</h1> should html encode". Shouldn''t it html encode <bar> to

...ml = decode_entities(new_html) # remove html encoded items new_html = new_html.strip # remove any whitespace from the edge of content end namespace :mysqldata_select do LOCATIONS = {1 => 6, 2 => 5, 3 => 5} task :sqldata_update => :environment do include ActionView::Helpers::SanitizeHelper MysqlData::TableName.all(:conditions => {:field_id => [1,2,3]}, :order => :field_primary).each{ |j| r = TableName.new # place r.field = j.field_primary r.location_id = LOCATIONS[j.field_id] # save the item to get an ID r.save # find any transl...

<% songs.each do |s| %> <td><%=h s.name %></td> <% end %> If i will remove the h..the output is still the same.. thank you for your replies -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to

I use a call to the sanitize method every time I render some user input, but it would be much nicer if I could clean it up once before putting it into the database and avoid having to call the (relatively expensive) sanitize every time I render a page. My first thought was to just add something like: def message=(x) self[:message]=sanitize(x) end However, the sanitize helper cannot be called

So I''ve googled my brains out, and I see a lot of talk about TextHelper for views, but next to no discussion about cleaning text _before_ it is saved. I figured this had to be asked 4 zillion times, but I''m not finding anything concrete/obvious. Using h is fine as a safety catch, but that alone is not acceptable to me as the means of diffusing the impact of HTML or JS