开发者

rails_xss, prefer raw or .html_escape?

Which is 开发者_如何学运维preferable?

<%= raw @item.description %>

or

<%= @item.description.html_safe %>


If you are outside of view then the raw helper is not accessible (you can include it anywhere but by default it is not available in model / controller). So in those cases the html_safe is the only sane option.

And inside view? Well, there is source code of the raw helper:

# actionpack-3.0.0/lib/action_view/helpers/raw_output_helper.rb
def raw(stringish)
  stringish.to_s.html_safe
end

so there is almost no difference as the raw simply calls #html_safe


As Radek notes, raw uses html_safe, but because it first casts to a string, it avoids null exceptions. Therefore, raw is slightly better!

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜