How to HTML encode escape a string Is there a built-in

Question

I have an untrusted string that I want to show as text in an HTML page  I need to escape the chars   lt   and   amp   as HTML entities   The less fuss the better   I m using UTF8 and don t need other entities for accented letters   Is there a built-in function in Ruby or Rails  or should I roll my own

User · Answer

In Ruby on Rails 3 HTML will be escaped by default    For non-escaped strings use    lt    raw   lt p gt hello world  lt  p gt     gt

User · Answer

h   is also useful for escaping quotes   For example  I have a view that generates a link using a text field result r  thtitle  The text could include single quotes  If I didn t escape result r  thtitle in the confirm method  the Javascript would break    amp lt    link to remote    result r  thtitle     url  gt    controller  gt  resource   action           gt  delete resourced   id       gt  result r  id   th       gt  thread                                                                                                         html         gt   title  gt    lt   Remove                                                            confirm      gt  h    result r  thtitle  will be removed                                                        method       gt   delete   gt    amp lt a href     onclick  if  confirm  docs  add column  amp amp apos dummy amp amp apos  will be removed      new Ajax Request   resource delete resourced 837 owner 386 amp amp th 511    asynchronous true  evalScripts true  method  delete   parameters  authenticity token     encodeURIComponent  ou812         return false   title   amp lt   Remove  gt docs  add column  dummy  lt  a gt    Note  the  html title declaration is magically escaped by Rails

User · Answer

Checkout the Ruby CGI class  There are methods to encode and decode HTML as well as URLs   CGI  escapeHTML  Usage  foo  bar   lt baz gt        gt   Usage  foo  amp quot bar amp quot   amp lt baz amp gt

User · Answer

Comparaison of the different  methods    gt  CGI  escapeHTML  quote   double quotes        gt   quote  amp  39  double quotes  amp quot     gt  Rack  Utils escape html  quote   double quotes        gt   quote  amp  x27  double quotes  amp quot     gt  ERB  Util html escape  quote   double quotes        gt   quote  amp  39  double quotes  amp quot     I wrote my own to be compatible with Rails ActiveMailer escaping   def escape html str    CGI escapeHTML str  gsub   amp  39         end

User · Answer

An addition to Christopher Bradford s answer to use the HTML escaping anywhere  since most people don t use CGI nowadays  you can also use Rack   require  rack utils  Rack  Utils escape html  Usage  foo  bar   lt baz gt

User · Answer

The h helper method    lt   h   lt p gt  will be preserved    gt

User · Answer

You can use either h   or html escape    but most people use h   by convention   h   is short for html escape   in rails   In your controller    stuff     lt b gt Hello World  lt  b gt     In your view    lt   h  stuff   gt    If you view the HTML source  you will see the output without actually bolding the data   I e  it is encoded as  amp lt b amp gt Hello World  amp lt  b amp gt    It will appear an be displayed as  lt b gt Hello World  lt  b gt

User · Answer

ERB  Util html escape can be used  anywhere  It is available without using require in Rails

[html] How to HTML encode/escape a string? Is there a built-in?

Examples related to html

Examples related to ruby-on-rails

Examples related to ruby

Examples related to escaping

Examples related to encode