I'm looking at this Railscast episode and wondering why the call to
According to the Rails docs:
But that doesn't mean much to me.
It's easier to understand if you split the code in two parts.
The first part
Now let's examine the ruby part inside the
<%= ... %>. What does
So, what happens if our partial contains some simple html, like this one?
<%= ... %> with the code of that partial, then we have a problem - immediately after the
In order for this not to happen, you want to escape these special characters so your string is not cut - you need something that generates this instead:
users may post malicious code (malicious users) that if left unescaped will potentially get executed, allowing users to control your application.
<% variable = '"); alert("hi there' %> $("#reviews").append("<%= variable %>");
not really familiar with the syntax of rails, but if you don't escape
variable then an alert box will show, and i dont think that is intended behaviour.
If you look at the source here, it will be much clearer.
This function accomplishes the following two things:
It substitutes the characters in the input string with the ones defined in JS_ESCAPE_MAP
That said I am not denying that script injection is not possible. But to avoid that you need to take steps when you take the user data and store it in your database. The function and example you are providing are related to rendering the information, which was already saved.
I hope this helps and answers your question.
©2020 All rights reserved.