Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a model tag with attribute title (string).
A tag belongs_to a model document with a has_many :throught association.
In document#show view, I need to show all tags associated to that document, so I do:
%p= raw @document.tags.map{|t| link_to t.title.prepend('#'), t}.join(', ')
Is this safe considering that a user can be able to create a tag ?
If it’s not safe, how can I achieve the same result?
Thank you.
Yes, the tag’s title will be escaped before becoming the content of the link, so even if there were HTML in it, it would be rendered, not output raw. What will be output without escaping here is the string resulting from the
join, which is fine.