There’s already a danger in Example 2-4, called HTML
injection. While the source of
@bonus is clear at the moment—the controller code is
stupidly simple and receives no user input—more complicated programs offer
opportunities for malicious users to send their own HTML through parameters or form fields.
To reduce their odds of causing a problem, wrap values that you know aren’t supposed
to contain HTML in an
function, short for
html_escape(). Example 2-7 shows a safer version of the code
from Example 2-5.
Example 2-7. Modifying index.html.erb to use instance variables from the controller
<html> <head><title><%= h(@message) %> </title></head> <body> <h1><%
= h(@message) %></h1> <p>This is a greeting from app/views/hello/index.html.erb</p> <p><%
= h(@bonus) %></p> </body> </html>
h() isn’t always appropriate because
there will be times when you want to include HTML directly, without turning "
bold" into "
<b>bold</b>.” Sometimes applications need to be able to say
bold instead of <b>bold</b>. For these cases,
you can use
sanitize function escapes
script tags and removes event handling attributes whose names
on, as well as links starting with
sanitize() functions does take more typing, but it
can spare you considerable pain later on, for security reasons that Chapter 18 will explore in more depth. (You can, of course, leave them off ...