Marcelo Barbudas wrote:
> Hi.
>
> Is there a way to disable the default xss escaping of everything in
> rails3?
I don't know of a way to disable it entirely, that's sort of the point.
Safe by default.
When you want to bypass the escaping you can use to use the 'raw'
method:
<%= raw my_unsafe_string %>
Think of this as the opposite of the old 'h' method.
> What's the proper way of doing string concatenations like below with
> rails3 if xss escaping can not be disabled:
> "something #{link_to('something else') if value == true}"
In helpers it's also possible to mark the string as html_safe:
"something #{link_to('something else') if value == true}".html_safe
Read this as, "I'm telling you that this is safe so don't escape it."
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
