开发者

What does h() really do?

I know it is about the dangers of开发者_开发技巧 cross-site scripting. But can anyone explain in detail?


It escapes html entities in the data to be rendered. h() is an alias for html_escape().

http://apidock.com/rails/ERB/Util/html_escape


The h() statement is a way to prevent against cross-site scripting, which is a vulnerability that sites can suffer when displaying data that was once entered by users. The h() was necessary for Rails 2.x but it has been made the default in Rails 3, so if you are using Rails 3 you do not need to use the h() at all.

Here are some details from Ryan Bates and Asciicasts:

http://asciicasts.com/episodes/204-xss-protection-in-rails-3

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜