Rails 3: HTML Escaping

- -

Rails 2

So you've been working on Rails apps for a while, and like all good developers, you've been escaping any content rendered in your views that your application's users might have entered, right?

eg. like this:

<%= h some_string %>

Rails 3

Now in Rails 3, all strings are html escaped automatically, so:

<%= h some_string %>
# is now
<%= some_string %>

No string by default is considered safe to render, and subsequently are HTML escaped. If you need to render html without it being escaped you need to effectively whitelist it as safe to render. This is done via .html_safe

<%= some_string.html_safe %>

For a more detailed explanation, checkout: SafeBuffers and Rails 3.0 by Yehuda Katz

We're passionate about understanding businesses, ideas and people. Let's Talk