2

I'm just getting started with RoR (and web development in general).

I know that when outputting user-supplied data we should escape it with the h() helper.

Is there a way to ensure that all form data (params?) received by an action is guaranteed to be escaped automatically? (I do understand that it's a wise decision to escape HTML when displaying in a view, which I will be doing in any case ).

Improve this question

1 Answer 1

Reset to default
3

don't know if this is the answer you were looking for, but you can do this by upgrading your app to rails3 - quoting Ryan Bates "In Rails 3, however, output is escaped automatically so there’s no need to put the h method" - read the asciicast or watch the railscast :)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, that's great news on the "output" front, but I was wondering if it was possible to do the escaping such that even the action would only get HTML-escaped text? (Would love to use Rails 3.0 but there seems to be problems with mysql2 gem that doesn't work with it :( )
Seems like there is a plug for this (for RoR 2.3.7+, I believe) called rails_xss. Thanks for your inputs!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.