Don't really know where to go with this one, but I gotta know...
What is the difference between the two following pieces of code?
<%= h(truncate(product.description, 80)) %>
and
<%= truncate(product.description, 80) %>
This question could also be asked by asking what h() does.
h is a user defined function, clearly since it looks like nothing in the ruby library.
and a bad choice of function name at that, as it's in no way meaningful to anyone but the original author (assuming of course that it isn't a core Ruby function)
Ruby doesn't have any core functions, they're all in classes.
eg. File access = `File` class.
myfile = new File("myfilename"){|z| print z}
and with that, I smiled, knowingly*, and walked to the next exhibit ...
*whaddhesay
My Agile Web Development with Rails just arrived yesterday night. I opened the book this morning and by strange coincidence, I opened it on page 345 which had the exact answer.
h() is short for html_escape() in the rails framework. You can use either h() or html_escape(), but most rails programmers use h() by convention, because it saves them some typing. Basically, you can use this method to html_escape any data. Why should you do this? What if your product description has a & in it. To output an & into your browser, the HTML should have & instead of &. Similarly, you should have < and > instead of < and > in your code. Using h() will convert & to & and < and > to < and > and other such conversions.
There are more security implications too. Consider the following rails code:
Name is <%= params[:name] %>
where name is entered by the user from a form. Normally, you would expect users to just enter their name (say "Joe Schmoe") and it would show the page like this:
Name is Joe Schmoe
Now, what if the user enters their name like this:
%3Ch1%3EJoe Schmoe%3C/h1%3E
The funky stuff is URL encoded HTML for <h1>Joe Schmoe</h1> and thus our page will show the text in big font, when we didn't mean it to. Of course, the person could do something a lot worse instead by entering some javascript instead and execute a cross side scripting attack.
To prevent this, it is a good idea to html escape the output. You can use:
Name is <%= h(params[:name]) %>
and it will HTML encode the output safely, so it can't be exploited.
Incidentally, rails also provides the sanitize() method. The sanitize method takes a string and cleans up any dangerous HTML elements. <form>, <script> are escaped, any on= attribs (onclick=, onselect= etc.) and links with javascript: tags are removed.
Y'see, you learn st*ff here, cheers Scorp
and, not to suggest anyone look elsewhere for help....
the rails community has amazing support: http://rubyonrails.com/community
i prefer #rubyonrails on IRC or the mailing list
and, not to suggest anyone look elsewhere for help....
the rails community has amazing support: http://rubyonrails.com/community
i prefer #rubyonrails on IRC or the mailing list #rubyonrails on freenode can be a good place, yes, but they can be twats as well, merely telling you to google, even if you spent an hour doing so already