6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"What does h() really do?\",\"text\":\"

I know it is about the dangers of cross-site scripting. But can anyone explain in detail?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"wizztjh\"},\"upvoteCount\":0,\"answerCount\":2,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"

It escapes html entities in the data to be rendered. h() is an alias for html_escape().

\\n\\n

http://apidock.com/rails/ERB/Util/html_escape

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"ramn\"},\"upvoteCount\":4}}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","ruby-on-rails",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/ruby-on-rails/1","children":"ruby-on-rails"}]}],["$","span","xss",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/xss/1","children":"xss"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/392d65758263f936fa02340d56ef8afd?s=256&d=identicon&r=PG","alt":"wizztjh","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/227149/wizztjh","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"wizztjh"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",7041]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"What does h() really do?"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

I know it is about the dangers of cross-site scripting. But can anyone explain in detail?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",0]}],["$","p",null,{"children":["Views: ",182]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",2,")"]}],[["$","div","4577053",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/cf9edfdcf79bd399f9b077b815dece35?s=256&d=identicon&r=PG","alt":"sscirrus","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/341583/sscirrus","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"sscirrus"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",56719]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

The h() statement is a way to prevent against cross-site scripting, which is a vulnerability that sites can suffer when displaying data that was once entered by users. The h() was necessary for Rails 2.x but it has been made the default in Rails 3, so if you are using Rails 3 you do not need to use the h() at all.

\n\n

Here are some details from Ryan Bates and Asciicasts:

\n\n

http://asciicasts.com/episodes/204-xss-protection-in-rails-3

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",1]}]}]]}],["$","div","4577039",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/7cb4884e16f89eb538f0410e6e344033?s=256&d=identicon&r=PG","alt":"ramn","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/499959/ramn","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"ramn"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",467]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

It escapes html entities in the data to be rendered. h() is an alias for html_escape().

\n\n

http://apidock.com/rails/ERB/Util/html_escape

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",4]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","296747",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/296747","className":"text-blue-600 hover:underline","children":"What is the meaning of "h" in "<%=h [ ...] %>"?"}]}],["$","li","61540369",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/61540369","className":"text-blue-600 hover:underline","children":"How reproduced html_safe function in ruby (without rails)"}]}],["$","li","4070257",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/4070257","className":"text-blue-600 hover:underline","children":"Why in Rails 3, <%= note.html_safe %> and <%= h note.html_safe %> give the same result?"}]}],["$","li","4448860",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/4448860","className":"text-blue-600 hover:underline","children":"What does <%=h ... %> means in Rails?"}]}],["$","li","9562508",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/9562508","className":"text-blue-600 hover:underline","children":"The raw and h() in the Rails"}]}],["$","li","6448375",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/6448375","className":"text-blue-600 hover:underline","children":"rails 3: what does the h() in "content_for(:title) { h(page_title.to_s) }" do?"}]}],["$","li","2985600",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/2985600","className":"text-blue-600 hover:underline","children":"How good is the Rails sanitize() method?"}]}],["$","li","1294360",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1294360","className":"text-blue-600 hover:underline","children":"Any clever workaround to avoid having to type the h method everywhere?"}]}],["$","li","1494648",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1494648","className":"text-blue-600 hover:underline","children":"Rails - Escaping HTML using the h() AND excluding specific tags"}]}],["$","li","1565052",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1565052","className":"text-blue-600 hover:underline","children":"(ruby) does one escapse using h() in view files only for security, or in controller files as well?"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

What does h() really do?

Answers (2)

Related Questions