ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Article:
  Rolling with Ruby on Rails, Part 2
Subject:   Escaping HTML
Date:   2005-03-05 14:24:38
From:   JustinForder
Thanks for a great article - the examples build one one another really well.
One point - as discussed in the security manual you reference, it is important to escape any content that the user has entered before displaying it. This is needed both to prevent page display being broken by user-entered HTML, and to prevent cross-site scripting attacks by user-entered script.
Fortunately this is easy to do: just use <%h= instead of <%= when displaying unsafe content.

1 to 1 of 1
1 to 1 of 1