Skip to content
Browse files

Add a note to TextHelpers making explicit their default behavior of n…

…ot escaping but sanitizing.
  • Loading branch information...
1 parent 78e085b commit 645f5158432b541948bcb3e3745cce18ab257df2 @josevalim josevalim committed Nov 8, 2010
Showing with 18 additions and 0 deletions.
  1. +18 −0 actionpack/lib/action_view/helpers/text_helper.rb
View
18 actionpack/lib/action_view/helpers/text_helper.rb
@@ -9,6 +9,24 @@ module Helpers #:nodoc:
# and transforming strings, which can reduce the amount of inline Ruby code in
# your views. These helper methods extend Action View making them callable
# within your template files.
+ #
+ # ==== Sanitization
+ #
+ # Most text helpers by default sanitize the given content, but do not escape it.
+ # This means HTML tags will appear in the page but all malicious code will be removed.
+ # Let's look at some examples using the +simple_format+ method:
+ #
+ # simple_format('<a href="http://example.com/">Example</a>')
+ # # => "<p><a href=\"http://example.com/\">Example</a></p>"
+ #
+ # simple_format('<a href="javascript:alert('no!')">Example</a>')
+ # # => "<p><a>Example</a></p>"
+ #
+ # If you want to escape all content, you should invoke the +h+ method before
+ # calling the text helper.
+ #
+ # simple_format h('<a href="http://example.com/">Example</a>')
+ # # => "<p>&lt;a href=\"http://example.com/\"&gt;Example&lt;/a&gt;</p>"
module TextHelper
extend ActiveSupport::Concern

0 comments on commit 645f515

Please sign in to comment.
Something went wrong with that request. Please try again.