开发者

Is it safe to put params in a flash notice?

开发者 https://www.devze.com 2023-03-24 01:18 出处：网络

Here\'s my action code in my controller. def index if params[:writer] if Article.published.where(\'writer = ?\', params[:writer]).count < 1

相关专题：ruby-on-rails-3

Here's my action code in my controller.

def index
  if params[:writer]
    if Article.published.where('writer = ?', params[:writer]).count < 1
      redirect_to articles_url, :notice => "There are no articles by #{params[:writer]}"
    else
      @articles = Article.published.where('writer = ?', params[:writer]).order('published_at DESC').page(params[:page]).per(20)
    end
  else
    @articles = Article.published.order('published_at DESC').page(params[:page]).per(20)
  end
end

I think the question is fairly obvious. In some simple testin开发者_开发技巧g Rails seems to escape that :notice just fine, but I wanted to make sure I wasn't asking for trouble by doing that.

That should be fine. Rails 3 escapes HTML when by default when you display it via <%= %>

If you ever need it unescaped you would display it as