开发者

rails_xss, prefer raw or .html_escape?

开发者 https://www.devze.com 2023-01-19 00:47 出处:网络
Which is 开发者_如何学运维preferable? <%= raw @item.description %> or <%= @item.description.html_safe %>

Which is 开发者_如何学运维preferable?

<%= raw @item.description %>

or

<%= @item.description.html_safe %>


If you are outside of view then the raw helper is not accessible (you can include it anywhere but by default it is not available in model / controller). So in those cases the html_safe is the only sane option.

And inside view? Well, there is source code of the raw helper:

# actionpack-3.0.0/lib/action_view/helpers/raw_output_helper.rb
def raw(stringish)
  stringish.to_s.html_safe
end

so there is almost no difference as the raw simply calls #html_safe


As Radek notes, raw uses html_safe, but because it first casts to a string, it avoids null exceptions. Therefore, raw is slightly better!

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号