I've been following the Rails 3 Getting Started guide and there was this note in the guide that I didn't understand:
In previous versions of Rails, you had to use
<%=h post.name %>so that any HTML would be escaped before being inserted into the page. In Rails 3.0, this is now the default. To get unescaped HTML, you now use<%= raw post.name %>.
I don't really get what it means by escaped HTML vs unescaped HTML. Can someone explain this to me?
Thanks!
If post.name = <b>Bob</b>
then Escaped HTML will show
<b>Bob</b>
While Unescaped HTML will show raw output
Bob
Escaping HTML just means encoding it so it shows up looking like HTML, so you see <b>foo</b> instead of actually being treated as HTML on your page, like foo.
The way it does this is by converting special characters into safe versions called HTML entities. For example, the HTML entity for < is >.
Html escaping is important for securing rails application over cross site scripting. To better understand cross-site scripting please go through this initial screencast.
http://railscasts.com/episodes/27-cross-site-scripting
For further info about how this is handled in Rails 3
http://railscasts.com/episodes/204-xss-protection-in-rails-3
I would suggest to go thorough this guide about securing Rails Applications which talks about whole lot of things.
