Home arrow Ruby-on-Rails arrow Page 3 - Login Systems and More with Ruby on Rails
RUBY-ON-RAILS

Login Systems and More with Ruby on Rails


In this third article of a six-part series covering web development and Ruby on Rails, you'll learn how to add some very desirable features to your web application. This article is excerpted from chapter 15 of the Ruby Cookbook, written by Lucas Carlson and Leonard Richardson (O'Reilly, 2006; ISBN: 0596523696). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

Author Info:
By: O'Reilly Media
Poor Best
Rating: 4 stars4 stars4 stars4 stars4 stars / 23
April 05, 2007
TABLE OF CONTENTS:
  1. · Login Systems and More with Ruby on Rails
  2. · 15.9 Storing Hashed User Passwords in the Database
  3. · 15.10 Escaping HTML and JavaScript for Display
  4. · 15.11 Setting and Retrieving Session Information

print this article
SEARCH DEVARTICLES

TOOLS YOU CAN USE

advertisement
Login Systems and More with Ruby on Rails - 15.10 Escaping HTML and JavaScript for Display
(Page 3 of 4 )

Problem

You want to display data that might contain HTML or JavaScript without making browsers render it as HTML or interpret the JavaScript. This is especially important when displaying data entered by users.

Solution

Pass a string of data into the h() helper function to escape its HTML entities. That is, instead of this:

  <%= @data %>

Write this:

  <%=h @data %>

The h() helper function converts the following characters into their HTML entity equivalents: ampersand (&), double quote ("), left angle bracket (<), and right angle bracket (>).

Discussion

You won't find the definition for the h() helper function anywhere in the Rails source code, because it's a shortcut for ERb's built-in helper function html_escape().

JavaScript is deployed within HTML tags like <SCRIPT>, so escaping an HTML string will neutralize any JavaScript in the HTML. However, sometimes you need to escape just the JavaScript in a string. Rails adds a helper function called escape_javascript() that you can use. This function doesn't do much: it just turns line breaks into the string "\n", and adds backslashes before single and double quotes. This is handy when you want to use arbitrary data in your own JavaScript code:

  <!-- index.rhtml -->
  <script lang="javascript">
  var text = "<%= escape_javascript @javascript_alert_text %>";
  alert(text);
  </script>

See Also

  • Chapter 11


blog comments powered by Disqus
RUBY-ON-RAILS ARTICLES

- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form
- Ruby on Rails Templates and Layouts
- Action Pack Controller Creation
- Writing an Action Pack Controller
Find More Ruby-on-Rails Tutorials

Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 



© 2003-2012 by Developer Shed. All rights reserved. DS Cluster 9 - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials