Rails 3 escapes every string in a <%= %> automatically, i.e. applying the h() helper to it, so there might be some trouble with some hard-coded text constants:
- HTML tags are visible instead of being parsed by the browser, i.e. <i>some text</i>, instead of just being in italic
- Some javascript code might break for very simple reasons. Consider generating JSON in script tag in an .html.erb file using the <%= %>. Well, the quotes will be converted to ", even though the is not HTML, but JS.
There is a way around that particular problem: calling the method html_safe on string objects. Here is an example of it.
Also, this article, explaines it in greater depth: SafeBuffers and Rails 3.0
No comments:
Post a Comment