Escaping ampersands input by users through text fields?
Like almost all apps today, I have users who enter various information through standard text inputs. My app is running on Rails.
It's a no-brainer to escape ampersands that I include as part of the site copy, etc. But how do I escape an ampersand that is dynamically input by a user? Currently, it开发者_C百科's breaking my frontend validation.
When you display the values you need to replace certain characters with HTML entities. Those characters are:
& : &
< : <
> : >
" : "
Perhaps there is a HtmlEncode function that you can use for that, otherwise you can use plain string operations. Pseudo code:
output replace(replace(replace(replace(text, "&", "&"), "<", "<"), ">", ">", """", """)
Edit:
I found that you can use the html_escape() function:
<%=html_escape @text%>
Or short:
<%=h @text%>
精彩评论