diff options
| -rw-r--r-- | actionpack/lib/action_view/helpers/text_helper.rb | 18 | ||||
| -rw-r--r-- | railties/guides/source/debugging_rails_applications.textile | 8 |
2 files changed, 22 insertions, 4 deletions
diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index 7c877a0f57..3d276000a1 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -9,6 +9,24 @@ module ActionView # and transforming strings, which can reduce the amount of inline Ruby code in # your views. These helper methods extend Action View making them callable # within your template files. + # + # ==== Sanitization + # + # Most text helpers by default sanitize the given content, but do not escape it. + # This means HTML tags will appear in the page but all malicious code will be removed. + # Let's look at some examples using the +simple_format+ method: + # + # simple_format('<a href="http://example.com/">Example</a>') + # # => "<p><a href=\"http://example.com/\">Example</a></p>" + # + # simple_format('<a href="javascript:alert('no!')">Example</a>') + # # => "<p><a>Example</a></p>" + # + # If you want to escape all content, you should invoke the +h+ method before + # calling the text helper. + # + # simple_format h('<a href="http://example.com/">Example</a>') + # # => "<p><a href=\"http://example.com/\">Example</a></p>" module TextHelper extend ActiveSupport::Concern diff --git a/railties/guides/source/debugging_rails_applications.textile b/railties/guides/source/debugging_rails_applications.textile index 6eec18b8b9..adf427147b 100644 --- a/railties/guides/source/debugging_rails_applications.textile +++ b/railties/guides/source/debugging_rails_applications.textile @@ -127,8 +127,8 @@ Rails makes use of Ruby's standard +logger+ to write log information. You can al You can specify an alternative logger in your +environment.rb+ or any environment file: <ruby> -ActiveRecord::Base.logger = Logger.new(STDOUT) -ActiveRecord::Base.logger = Log4r::Logger.new("Application Log") +Rails.logger = Logger.new(STDOUT) +Rails.logger = Log4r::Logger.new("Application Log") </ruby> Or in the +Initializer+ section, add _any_ of the following @@ -142,13 +142,13 @@ TIP: By default, each log is created under +Rails.root/log/+ and the log file na h4. Log Levels -When something is logged it's printed into the corresponding log if the log level of the message is equal or higher than the configured log level. If you want to know the current log level you can call the +ActiveRecord::Base.logger.level+ method. +When something is logged it's printed into the corresponding log if the log level of the message is equal or higher than the configured log level. If you want to know the current log level you can call the +Rails.logger.level+ method. The available log levels are: +:debug+, +:info+, +:warn+, +:error+, and +:fatal+, corresponding to the log level numbers from 0 up to 4 respectively. To change the default log level, use <ruby> config.log_level = Logger::WARN # In any environment initializer, or -ActiveRecord::Base.logger.level = 0 # at any time +Rails.logger.level = 0 # at any time </ruby> This is useful when you want to log under development or staging, but you don't want to flood your production log with unnecessary information. |