ansaurus

Question

Escaping ampersands inputted by users through text fields?

Answer 1

+3 A:

When you display the values you need to replace certain characters with HTML entities. Those characters are:

& : &amp;
< : &lt;
> : &gt;
" : &quot;

Perhaps there is a HtmlEncode function that you can use for that, otherwise you can use plain string operations. Pseudo code:

output replace(replace(replace(replace(text, "&", "&amp"), "<", "&lt;"), ">", "&gt;", """", "&quot;")

Edit:
I found that you can use the html_escape() function:

<%=html_escape @text%>

Or short:

<%=h @text%>

Guffa 2009-10-12 17:03:06

+1 `h` is the Rails way to HTML-escape in a template. **You must always use this!** It's not just a matter of making ampersands look right; if you output text content into HTML without escaping it you've got a cross-site-scripting security hole.

bobince 2009-10-12 17:37:19

Follow up tip for other nubes reading this later. In my particular situation, the text was hyperlinked. I'm using the link_to method. If you try doing <%=h link_to url, url %>, then your url will get printed out on the screen. The way to do it is like this: <%=link_to (h(url), url) %>

MikeH 2009-10-12 21:16:39

ansaurus

tags:

views:

answers:

Escaping ampersands inputted by users through text fields?

related questions