Skip to content

Instantly share code, notes, and snippets.

@presidentbeef

presidentbeef/String#html_safe

Last active December 14, 2015 00:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save presidentbeef/5001099 to your computer and use it in GitHub Desktop.
Save presidentbeef/5001099 to your computer and use it in GitHub Desktop.
Download ZIP
String#html_safe does not make a string HTML safe.
Raw
String#html_safe
Loading development environment (Rails 3.2.11)
1.9.3p374 :001 > s = "<script>alert('hello')</script>"
=> "<script>alert('hello')</script>"
1.9.3p374 :002 > ERB::Util.html_escape s
=> "&lt;script&gt;alert(&#x27;hello&#x27;)&lt;/script&gt;"
1.9.3p374 :003 > safe = s.html_safe
=> "<script>alert('hello')</script>"
1.9.3p374 :004 > ERB::Util.html_escape safe
=> "<script>alert('hello')</script>"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment