Home/ Questions/Q 7440979
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T10:56:10+00:00

I’m using Rails 3 and Ruby 1.9.2. I’m doing anything special when I’m displaying

  • 0

I’m using Rails 3 and Ruby 1.9.2. I’m doing anything special when I’m displaying the content of my post, I’m just doing

<%=@post.content%>

When I add

"<script language='javascript'>alert('test');</script>"

to my post form of course it executes the javascript alert !

I tried adding the html_safe both before saving and before displaying but it didn’t fix anything.

If I have to add any security code, will I have to add it before saving the post or before displaying it ? I heard that rails 3 was doing it itself so I didn’t bother too much about security but I guess still there are some main things to be careful with.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Rails 3 is quite strict about escaping anything you put into your view, but in Rails 2 and earlier it was your responsibility to do this. You have to escape everything using the h helper method:

    <%= h(value) %>

    When building an application that accepts arbitrary user input you must be certain you are escaping anything and everything that shows up in the view.

    • 0