Robert Walker wrote:
> some_string = "<script>alert("Gotcha!")</script>"
Ignore my still syntax error above with the nested double quotes. Single
quote the string in the JS part or fix however you like.
> <%= h some_string %> or <%= html_escape some_string %>
> => <script>alert("Gotcha!")</script>
>
> <%= some_string %>
> => [[ javascript alert dialog => Gotcha! ]]
Well, this is quite interesting. The above actually DID NOT work under
Rails 2.3.8 for me. Same code escaped properly, and as expected, running
under Rails 2.3.5.
In my test the JS dialog was display whether h was used or not. Not
good... Maybe on second though I'll skip Rails 2.3.8 altogether and go
straight to Rails 3.0.
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
