From 645f5158432b541948bcb3e3745cce18ab257df2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Valim?= Date: Mon, 8 Nov 2010 01:47:49 -0800 Subject: Add a note to TextHelpers making explicit their default behavior of not escaping but sanitizing. --- actionpack/lib/action_view/helpers/text_helper.rb | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'actionpack/lib/action_view/helpers/text_helper.rb') diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index 7c877a0f57..3d276000a1 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -9,6 +9,24 @@ module ActionView # and transforming strings, which can reduce the amount of inline Ruby code in # your views. These helper methods extend Action View making them callable # within your template files. + # + # ==== Sanitization + # + # Most text helpers by default sanitize the given content, but do not escape it. + # This means HTML tags will appear in the page but all malicious code will be removed. + # Let's look at some examples using the +simple_format+ method: + # + # simple_format('Example') + # # => "

Example

" + # + # simple_format('Example') + # # => "

Example

" + # + # If you want to escape all content, you should invoke the +h+ method before + # calling the text helper. + # + # simple_format h('Example') + # # => "

<a href=\"http://example.com/\">Example</a>

" module TextHelper extend ActiveSupport::Concern -- cgit v1.2.3