You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
h(@model.attribute) was a common way to avoid html injection in the rails 2.x era. Since rails 3, all text fetched from the database is escaped automatically, and so e.g. h(@user.display_name) is unnecessary.
The only edge cases are where we are directly messing around with the escaping system, by using things like raw (#38), html_safe and so on. But in the vast majority of cases, the h(...) is no longer necessary.
Removing this avoids new contributors having to figure out what's going on, as well as making the code more readable.
The text was updated successfully, but these errors were encountered:
… the text value of that node.
This will unescape ' into an apostrophe.
All callers of this function will later re-encode it depending out output whether it be HTML in an email, or XML in an RSS feed.
* app/mailers/user_mail.rb
* app/helpers/geocode_helper.rb
* app/views/api/notes/feed.rss.builder
* app/views/api/notes/_note.rss.builder
Fixesopenstreetmap#3761
h(@model.attribute)
was a common way to avoid html injection in the rails 2.x era. Since rails 3, all text fetched from the database is escaped automatically, and so e.g.h(@user.display_name)
is unnecessary.The only edge cases are where we are directly messing around with the escaping system, by using things like raw (#38),
html_safe
and so on. But in the vast majority of cases, theh(...)
is no longer necessary.Removing this avoids new contributors having to figure out what's going on, as well as making the code more readable.
The text was updated successfully, but these errors were encountered: