0

Realized that if I put HTML code in a rails text area, it will output the html.

For instance:

<b> Hello </b>

outputs as:

Hello

I thought rails 3 text inputs automatically escape HTML but whenever I output @variable.textarea, it still shows the bold text. Is it being selective about what HTML to input? And how do I make sure all HTML is always escape when I output the content of my textarea?

Thanks!

4

1 回答 1

1

If <b>hello</b> comes out as hello, that means HTML escaping is already prevented.

Since you don't want users to be able to use HTML in their inputs, you want HTML to be escaped, so that <b>hello</b> comes out as <b>hello</b>.

在 Rails 3 应用程序中,html 会自动转义 - 但您可以使用h 方法显式转义它:

<%= h my_string %>
于 2013-03-30T23:34:28.473 回答