diff options
| author | Ryan Bigg <radarlistener@gmail.com> | 2010-11-15 11:44:04 +0800 |
|---|---|---|
| committer | Ryan Bigg <radarlistener@gmail.com> | 2010-11-15 11:44:04 +0800 |
| commit | 8b5700192e3baadf236f1d7560c3b9f979b3b56d (patch) | |
| tree | 5f13a06bf516d58cf1a6ab2f508aa5e8622c0e7e /actionpack | |
| parent | 74061f55be2ba83f1457369b7e47cab54d26a57f (diff) | |
| parent | 72fda46214da24e846a8f3332e153361247902a4 (diff) | |
| download | rails-8b5700192e3baadf236f1d7560c3b9f979b3b56d.tar.gz rails-8b5700192e3baadf236f1d7560c3b9f979b3b56d.tar.bz2 rails-8b5700192e3baadf236f1d7560c3b9f979b3b56d.zip | |
Merge branch 'master' of github.com:lifo/docrails
* 'master' of github.com:lifo/docrails:
Getting Started guide: remove calls to f.error_messages as it has been removed from Rails
deliver_* is no more
removed unnecessary indentation
added note with example for using flash in redirection
corrected sample code to clear @_current_user class variable also
the partial option is not required for simple partial rendering
colorize_logging is a Rails General Configuration option not a specific option of ActiveRecord
Fixed the name of the 'generator option'
this reads better, i don't know what the other 'so on' are, doesn't help reader imho
added missing word to clear up meaning in my previous commit
Add a note to TextHelpers making explicit their default behavior of not escaping but sanitizing.
removed indentation, for code style consistency and readibility
Use Rails.logger, not ActiveRecord::Base.logger
removed etc. not require
added missing space and minor rewording
corrected to Rails 3 syntax for declaring resources
Fixes ActionMailer example error
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_view/helpers/text_helper.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index 7c877a0f57..3d276000a1 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -9,6 +9,24 @@ module ActionView # and transforming strings, which can reduce the amount of inline Ruby code in # your views. These helper methods extend Action View making them callable # within your template files. + # + # ==== Sanitization + # + # Most text helpers by default sanitize the given content, but do not escape it. + # This means HTML tags will appear in the page but all malicious code will be removed. + # Let's look at some examples using the +simple_format+ method: + # + # simple_format('<a href="http://example.com/">Example</a>') + # # => "<p><a href=\"http://example.com/\">Example</a></p>" + # + # simple_format('<a href="javascript:alert('no!')">Example</a>') + # # => "<p><a>Example</a></p>" + # + # If you want to escape all content, you should invoke the +h+ method before + # calling the text helper. + # + # simple_format h('<a href="http://example.com/">Example</a>') + # # => "<p><a href=\"http://example.com/\">Example</a></p>" module TextHelper extend ActiveSupport::Concern |