Apply the recommended security controls depending on the framework and template engine of choice.
Rails provides ERB (Embedded RuBy) as a template engine to generate dynamic web pages.
Before Rails 3.x, the function
escapeHTML() (or its alias
h()) needed to be called to escape HTML output in all templates, but in more recent versions, it is on by default in all of the view templates.
To bypass the automatic encoding in recent Rails versions, calling
html_safe or prepending
raw on a string sets the string as HTML Safe, and ERB inserts it unaltered into the output.
|Context||Code||Rails >=3.x ERB Encoding mechanisms|
|HTML Code and Attribute|| ||
HTML Escaped |
Encode data for use in HTML using HTML entity encoding