Kenneth
(Kenneth)
1
so h() is an alias for html_escape() and they convert the following 4
characters
< > & "
into
< > & "
the single quote is not converted...
I just wonder sometimes we happen to write code such as
<input type='hidden' value='<%= h(user_comment %>'>
and it can cause an cross-site scripting (XSS) attack?
we usually use double quote but sometimes we use single quote like
somebody can write
puts "<input type='hidden' value='" + h(user_comment %> + "'>"
(sorry i have used PHP for quite some time and so by Ruby is rusty...)
···
--
Posted via http://www.ruby-forum.com/.
This is a Rails question. Please ask Rails questions in a Rails forum,
not on the Ruby mailing list.
SpringFlowers AutumnMoon wrote:
the single quote is not converted...
I just wonder sometimes we happen to write code such as
<input type='hidden' value='<%= h(user_comment %>'>
Just don't, it's not correct HTML.
···
--
Posted via http://www.ruby-forum.com/\.
Hi,
At Sun, 28 Sep 2008 04:28:45 +0900,
SpringFlowers AutumnMoon wrote in [ruby-talk:316193]:
the single quote is not converted...
I guess that is because the character entity reference of
single quote isn't defined in HTML.
we usually use double quote but sometimes we use single quote like
somebody can write
puts "<input type='hidden' value='" + h(user_comment %> + "'>"
You can use other delimiters than double quote and single quote.
puts %[<input type="hidden" value="#{h(user_comment)}">]
or heredoc.
puts <<HIDDEN
<input type="hidden" value="#{h(user_comment)}">
HIDDEN
Heredocs include the last newline, but no differences to use
with #puts.
···
--
Nobu Nakada