CambridgeMike
Reputation: 4622
Why should I be careful with html_safe?
From a developer's point of view I understand that HTML safe allows you to put HTML tags/entities in a string from within the controller, and then have that string rendered as HTML in the view.
However, from a security point of view, I'm not sure I understand why it is necessary. When should I not use html_safe on a string? In my case this is a user editable field, but I can't imagine what type of attack this would make possible.
Upvotes: 1
Views: 312
Answers (1)
Jef
Reputation: 5474
http://guides.rubyonrails.org/security.html
A very clear guide about security issues, including XSS, and why you should escape user-editable content.
Upvotes: 1
Related Questions
- Rails: html_safe not safe?
- How to use html_safe in a secure manner?
- Behaviour on html_safe? in Rails 3.2.1
- html_safe in ruby on rails not working
- html_safe is not working in ruby on rails
- Rails 3 - Problems with raw and html_safe
- Rails 4 raw html_safe not working
- rails 3 html_safe confusion
- Turn on html_safe for the entire app in Rails 3
- How make this function html_safe?