(ruby) does one escapse using h() in view files only for security, or in controller files as well?

I receive input in the form of URL strings (aka controller/action?example=yes), and I'm wondering if I need to escape the content of the string for security.

For example, if I assign the param to a variable:

example = params[:example].to_s

do I need to escape anything? or 开发者_开发百科do I only apply h() when I put the value of :example back in the view file?

It depends on what you are doing with it, if you are worried of SQL injections , then you can trust ActiveRecord, like doing:

Examples.find_by_name params[:example]

or

Examples.find(:conditions=> ["name = ?", params[:example]])

On the other side, the common strategy of filtering is on display side, so you save the input as is, and you filter on display(views) by using h().

If you still want to save some HTML input from the user like when doing in rich editors, then you have to pay extra attention to XSS attacks, and so you have to filter the input. One great gem for filtering HTML is Sanitize, use it to save a modified filtered version of user input to use it in views.