Remove uses of h escaping
#39
Comments
gravitystorm
pushed a commit
that referenced
this issue
Oct 26, 2022
… the text value of that node. This will unescape ' into an apostrophe. All callers of this function will later re-encode it depending out output whether it be HTML in an email, or XML in an RSS feed. * app/mailers/user_mail.rb * app/helpers/geocode_helper.rb * app/views/api/notes/feed.rss.builder * app/views/api/notes/_note.rss.builder Fixes openstreetmap#3761
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
h(@model.attribute)was a common way to avoid html injection in the rails 2.x era. Since rails 3, all text fetched from the database is escaped automatically, and so e.g.h(@user.display_name)is unnecessary.The only edge cases are where we are directly messing around with the escaping system, by using things like raw (#38),
html_safeand so on. But in the vast majority of cases, theh(...)is no longer necessary.Removing this avoids new contributors having to figure out what's going on, as well as making the code more readable.
The text was updated successfully, but these errors were encountered: