Simple Ruby Question

Don't really know where to go with this one, but I gotta know...

What is the difference between the two following pieces of code?



and



This question could also be asked by asking what h() does.

h is a user defined function, clearly since it looks like nothing in the ruby library.

and a bad choice of function name at that, as it's in no way meaningful to anyone but the original author (assuming of course that it isn't a core Ruby function)

Ruby doesn't have any core functions, they're all in classes.

eg. File access = `File` class.

myfile = new File("myfilename"){|z| print z}

and with that, I smiled, knowingly*, and walked to the next exhibit ...
*whaddhesay

My Agile Web Development with Rails just arrived yesterday night. I opened the book this morning and by strange coincidence, I opened it on page 345 which had the exact answer.

h() is short for html_escape() in the rails framework. You can use either h() or html_escape(), but most rails programmers use h() by convention, because it saves them some typing. Basically, you can use this method to html_escape any data. Why should you do this? What if your product description has a & in it. To output an & into your browser, the HTML should have & instead of &. Similarly, you should have < and > instead of < and > in your code. Using h() will convert & to & and < and > to < and > and other such conversions.

There are more security implications too. Consider the following rails code:

where name is entered by the user from a form. Normally, you would expect users to just enter their name (say "Joe Schmoe") and it would show the page like this:

Now, what if the user enters their name like this:
%3Ch1%3EJoe Schmoe%3C/h1%3E
The funky stuff is URL encoded HTML for <h1>Joe Schmoe</h1> and thus our page will show the text in big font, when we didn't mean it to. Of course, the person could do something a lot worse instead by entering some javascript instead and execute a cross side scripting attack.

To prevent this, it is a good idea to html escape the output. You can use:

and it will HTML encode the output safely, so it can't be exploited.

Incidentally, rails also provides the sanitize() method. The sanitize method takes a string and cleans up any dangerous HTML elements. <form>, <script> are escaped, any on= attribs (onclick=, onselect= etc.) and links with javascript: tags are removed.

Y'see, you learn st*ff here, cheers Scorp

and, not to suggest anyone look elsewhere for help....

the rails community has amazing support: http://rubyonrails.com/community

i prefer #rubyonrails on IRC or the mailing list

#rubyonrails on freenode can be a good place, yes, but they can be twats as well, merely telling you to google, even if you spent an hour doing so already