What does h() really do?

I know it is about the dangers of开发者_开发技巧 cross-site scripting. But can anyone explain in detail?

It escapes html entities in the data to be rendered. h() is an alias for html_escape().

http://apidock.com/rails/ERB/Util/html_escape

The h() statement is a way to prevent against cross-site scripting, which is a vulnerability that sites can suffer when displaying data that was once entered by users. The h() was necessary for Rails 2.x but it has been made the default in Rails 3, so if you are using Rails 3 you do not need to use the h() at all.

Here are some details from Ryan Bates and Asciicasts:

http://asciicasts.com/episodes/204-xss-protection-in-rails-3