S
SpringFlowers AutumnMoon
so h() is an alias for html_escape() and they convert the following 4
characters
< > & "
into
< > & "
the single quote is not converted...
I just wonder sometimes we happen to write code such as
<input type='hidden' value='<%= h(user_comment %>'>
and it can cause an cross-site scripting (XSS) attack?
we usually use double quote but sometimes we use single quote like
somebody can write
puts "<input type='hidden' value='" + h(user_comment %> + "'>"
(sorry i have used PHP for quite some time and so by Ruby is rusty...)
characters
< > & "
into
< > & "
the single quote is not converted...
I just wonder sometimes we happen to write code such as
<input type='hidden' value='<%= h(user_comment %>'>
and it can cause an cross-site scripting (XSS) attack?
we usually use double quote but sometimes we use single quote like
somebody can write
puts "<input type='hidden' value='" + h(user_comment %> + "'>"
(sorry i have used PHP for quite some time and so by Ruby is rusty...)