Escaping ampersands entered by users through text fields?

Question

Escaping ampersands entered by users through text fields?

Like almost all applications today, I have users who enter a variety of information through standard text inputs. My application is powered by Rails.

It's not easy to avoid the ampersands that I include as part of my site copy, etc. But how can I avoid the ampersand that is dynamically entered by the user? This is currently breaking my authentication.

+2

html validation xhtml escaping user-input

MikeH 12 oct. 09 at 16:36

source to share

1 answer

Guffa · Accepted Answer · 2009-10-12T17:03:06+0000

When displaying values, you need to replace certain characters with HTML entities. These symbols are:

& : &amp;
< : &lt;
> : &gt;
" : &quot;

Perhaps there is a function HtmlEncode you can use to do this, otherwise you can use simple string operations. Pseudocode:

output replace(replace(replace(replace(text, "&", "&amp"), "<", "&lt;"), ">", "&gt;", """", "&quot;")

Edit:
I found that you can use the html_escape () function:

<%=html_escape @text%>

Or short:

<%=h @text%>

Escaping ampersands entered by users through text fields?

More articles: