Is it safe to put params in a flash notice?
Here's my action code in my controller.
def index
if params[:writer]
if Article.published.where('writer = ?', params[:writer]).count < 1
redirect_to articles_url, :notice => "There are no articles by #{params[:writer]}"
else
@articles = Article.published.where('writer = ?', params[:writer]).order('published_at DESC').page(params[:page]).per(20)
end
else
@articles = Article.published.order('published_at DESC').page(params[:page]).per(20)
end
end
I think the question is fairly obvious. In some simple testin开发者_开发技巧g Rails seems to escape that :notice
just fine, but I wanted to make sure I wasn't asking for trouble by doing that.
That should be fine. Rails 3 escapes HTML when by default when you display it via <%= %>
If you ever need it unescaped you would display it as
<%= flash.html_safe %>
精彩评论