similar to: Escaping and Unescaping text in ERb

ERROR: undefined method `h'' for ERB::Util:Module i get above error when i use ERB::Util.h(content) in my controller''s action. can any one one tell me how to use this ''h'' method within controller? thanks, Jigar Gosar http://jigar.org -- Posted via http://www.ruby-forum.com/.

according to the documentation, only the url_for from ActionView escape the URL. which happens on this line escape ? html_escape(url) : url and can be prevented by passing :escape => false to url_for. still according to the documentation, the url_for from ActionController is not supposed to escape the url. BUT IT DOES. at the moment of this line escape ? html_escape(url) : url url has

--- generator/utils.ml | 8 +++++++- generator/utils.mli | 3 +++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/generator/utils.ml b/generator/utils.ml index b24ba8c..3a62084 100644 --- a/generator/utils.ml +++ b/generator/utils.ml @@ -360,4 +360,10 @@ let args_of_optargs optargs = | OInt64 n -> Int64 n | OString n -> String n | OStringList n ->

In web applications that have user generated content, it is clearly necessary to provide some ability to ''escape'' user generated text to avoid SQL injection, XSS, and other nasty attacks. The existing dogma on this point seems to favor escaping text as it comes out of the database, rather than doing it on the way in. I''m not sure that I understand the logic behind

I've created a dict service that listens on a unix socket and answers queries for sieve scripts (among other things). As I understand it (from the source code at http://hg.dovecot.org/dovecot-2.2/file/tip/src/lib-dict/dict-client.c), the dict client will unescape \001n, \001t, and \0011 to line feeds, tabs, and the \001 character respectively. In my service I am escaping those three

Been having a tough time finding any info on this subject (somewhat suprising actually). Looking thru the code, Rails automatically html_escape''s all option values and while this is generally good, I have some categories that have HTML embedded in them and therefore am looking for a way to turn this off. So far I have found none and am writing my own code to do this. If anyone knows

im using Mongrels to serve up /usr/portage/packages for other gentoo boxen. since i guess im the guinea pig with the DirHandler, ran into a couple issues: first, the client showed no files in the remote binhost, turns out the DirHandler was adding a trailing "/" to every filename, presumably making the client think they were directories, not files. attached is a patch which fixes this

I''m pleased to announce the release of Cross Site Sniper 0.2. Cross Site Sniper is one more addition to the ever growing list of tools that attempt to provide a convenient and DRY method to protect Rails sites from Cross Site Scripting (XSS) attacks. There are many plugins and tools out there that attempt to address this issue, but none of them met my requirements. So, I created

Cheers, I work on a german site that obviously includes german words with umlauts in its data. It seems like the html_escape function (or simply h() function) will not escape umlauts: <%=h "ä" %> Will not produce &auml; What is the best way to do this? Thanks, Jonathan -- Jonathan Weiss http://blog.innerewut.de

Hi Railers, For some time now I''ve been looking for a decent Rails equivalent of PHP''s "htmlentities" command, because ERB''s html_escape (or more commonly called as just "h", eg. <%=h @somevariable %> ) just doesn''t go far enough for me. Back in PHP land, I actually had an extended version of the htmlentities command to deal with

openssh-unix-dev at mindrot.org kerberos at ncsa.uiuc.edu We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5 module. When a Kerberos principal has the REQUIRES_PWCHANGE (+needchange) flag set, OpenSSH+pam_krb5 will still successfully authenticate the user. Local 'su' and 'login' fail in this case which leads us to believe it's at least

Not filing this as a bug, but simply as confusion. In the mongrel.rb, you have a comment that says this about the self.escape method: # Performs URI escaping so that you can construct proper # query strings faster. Use this rather than the cgi.rb # version since it''s faster. (Stolen from Camping). def self.escape(s) s.to_s.gsub(/([^ a-zA-Z0-9_.-]+)/n) {

From: Maros Zatko <hacxman@gmail.com> Auxiliary functions for readline to support space character escaping in filenames in future. Escaping function is taken from fish.c (used to be parse_quoted_string) plus its un-escaping counterpart. There are a few tests for both. Maros Zatko (3): fish: rl.{c,h} - escaping functions for readline fish: basic tests for readline escaping autotools:

> -----Original Message----- > From: rails-bounces@lists.rubyonrails.org > [mailto:rails-bounces@lists.rubyonrails.org] On Behalf Of > Kevin Olbrich > Sent: Wednesday, January 11, 2006 3:14 PM > To: rails@lists.rubyonrails.org > Subject: [Rails] Re: RE: Re: Re: Auto refreshing a page based > on select chang > > > Daniel Berger wrote: > > > <%=

Hi, after downloading I tried to install the package according to the instructions given in the INSTALL file. However, after some time an error occurred, I accumulated the error messages in the attached file. There are a lot of unreferenced symbols which I don't know of. Can anybody help me ? With kind regards G.O. -------------------------------------------------------------------------

Hello, I read in the wiki (http://wiki.dovecot.org/MailboxFormat/mbox) about "From Escaping": "Dovecot doesn't currently do this escaping however. Instead it prevents this confusion by adding Content-Length headers so it knows later where the next message begins. Dovecot doesn't either remove the '>' characters before sending the data to clients. Both of these

From: Maros Zatko <mzatko@redhat.com> --- fish/test/Makefile.am | 39 ++++++++++++++++ fish/test/testquoting.c | 120 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 159 insertions(+) create mode 100644 fish/test/Makefile.am create mode 100644 fish/test/testquoting.c diff --git a/fish/test/Makefile.am b/fish/test/Makefile.am new file mode 100644 index

Is Adobe the only provider of flash plugins? Is it still a gaping security hole? Do the answers depend on the browser? -- Michael hennebry at web.cs.ndsu.NoDak.edu "Sorry but your password must contain an uppercase letter, a number, a haiku, a gang sign, a heiroglyph, and the blood of a virgin." -- someeecards

When is it possible to set <script>while(true){}</script> as the value of project.name, what it the best way to escape the output of the following? <td><%= project.name %></td> Dennis Byrne -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060713/bbdedb86/attachment.html

Hi! In the rsync man page under " -8, --8-bit-output", it says: . . . All control characters (but never tabs) are always escaped, regardless of this option's setting. The escape idiom that started in 2.6.7 is to output a literal backslash (\) and a hash (#), followed by exactly 3 octal digits. For example, a newline would output as "\#012". A literal backslash