raw vs html safe vs h to unescape html

Question

Suppose I have the following string    x     lt a href     gt Turn me into a link lt  a gt     In my view  I want a link to be displayed  That is  I don t want everything in  x to be unescaped and displayed as a string  What s the difference between using   lt    raw  x   gt   lt    h  x   gt   lt     x html safe   gt

User · Answer

The difference is between Rails    html safe   and raw    There is an excellent post by Yehuda Katz on this  and it really boils down to this   def raw stringish     stringish to s html safe  end   Yes  raw   is a wrapper around html safe   that forces the input to String and then calls html safe   on it  It   s also the case that raw   is a helper in a module whereas html safe   is a method on the String class which makes a new ActiveSupport  SafeBuffer instance     that has a  dirty flag in it   Refer to  Rails    html safe vs  raw

User · Answer

The best safe way is   lt    sanitize  x   gt   It will avoid XSS

User · Answer

Considering Rails 3   html safe actually  sets the string  as HTML Safe  it s a little more complicated than that  but it s basically it   This way  you can return HTML Safe strings from helpers or models at will   h can only be used from within a controller or view  since it s from a helper  It will force the output to be escaped  It s not really deprecated  but you most likely won t use it anymore  the only usage is to  revert  an html safe declaration  pretty unusual   Prepending your expression with raw is actually equivalent to calling to s chained with html safe on it  but is declared on a helper  just like h  so it can only be used on controllers and views    SafeBuffers and Rails 3 0  is a nice explanation on how the SafeBuffers  the class that does the html safe magic  work

User · Answer

In Simple Rails terms   h remove html tags into number characters so that rendering won t break your html  html safe sets a boolean in string so that the string is considered as html save  raw It converts to html safe to string

User · Answer

I think it bears repeating  html safe does not HTML-escape your string  In fact  it will prevent your string from being escaped    lt      lt script gt alert  Hello    lt  script gt     gt    will put    amp lt script amp gt alert  amp  x27 Hello  amp  x27   amp lt  script amp gt    into your HTML source  yay  so safe    while    lt      lt script gt alert  Hello    lt  script gt   html safe   gt    will pop up the alert dialog  are you sure that s what you want    So you probably don t want to call html safe on any user-entered strings

User · Answer

html safe    Marks a string as trusted safe  It will be inserted into HTML with no additional escaping performed     lt a gt Hello lt  a gt   html safe    gt    lt a gt Hello lt  a gt    nil html safe    gt  NoMethodError  undefined method  html safe  for nil NilClass  raw    raw is just a wrapper around html safe  Use raw if there are chances that the string will be nil   raw   lt a gt Hello lt  a gt       gt    lt a gt Hello lt  a gt    raw nil     gt      h alias for html escape    A utility method for escaping HTML tag characters  Use this method to escape any unsafe content   In Rails 3 and above it is used by default so you don t need to use this method explicitly

[ruby-on-rails] raw vs. html_safe vs. h to unescape html

Examples related to ruby-on-rails

Examples related to erb