Module: ERB::Util

Defined in:

lib/active_support/core_ext/string/output_safety.rb

Constant Summary

HTML_ESCAPE =

{ '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#39;' }

JSON_ESCAPE =

{ '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }

HTML_ESCAPE_ONCE_REGEXP =

/["><']|&(?!([a-zA-Z]+|(#\d+));)/

JSON_ESCAPE_REGEXP =

/[&"><]/

Class Method Summary

• .h ⇒ Object

  A utility method for escaping HTML tag characters.

• .html_escape(s) ⇒ Object

  A utility method for escaping HTML tag characters.

• .html_escape_once(s) ⇒ Object

  A utility method for escaping HTML without affecting existing escaped entities.

• .json_escape(s) ⇒ Object

  A utility method for escaping HTML entities in JSON strings using uXXXX JavaScript escape sequences for string literals:.

Class Method Details

.h ⇒ Object

A utility method for escaping HTML tag characters. This method is also aliased as h.

In your ERB templates, use this method to escape any unsafe content. For example:

<%=h @person.name %>

puts html_escape('is a > 0 & a < 10?')
# => is a &gt; 0 &amp; a &lt; 10?

# File 'lib/active_support/core_ext/string/output_safety.rb', line 30

def html_escape(s)
  s = s.to_s
  if s.html_safe?
    s
  else
    s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
  end
end

.html_escape(s) ⇒ Object

A utility method for escaping HTML tag characters. This method is also aliased as h.

In your ERB templates, use this method to escape any unsafe content. For example:

<%=h @person.name %>

puts html_escape('is a > 0 & a < 10?')
# => is a &gt; 0 &amp; a &lt; 10?

# File 'lib/active_support/core_ext/string/output_safety.rb', line 19

def html_escape(s)
  s = s.to_s
  if s.html_safe?
    s
  else
    s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
  end
end

.html_escape_once(s) ⇒ Object

A utility method for escaping HTML without affecting existing escaped entities.

html_escape_once('1 < 2 &amp; 3')
# => "1 &lt; 2 &amp; 3"

html_escape_once('&lt;&lt; Accept & Checkout')
# => "&lt;&lt; Accept &amp; Checkout"

# File 'lib/active_support/core_ext/string/output_safety.rb', line 44

def html_escape_once(s)
  result = s.to_s.gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
  s.html_safe? ? result.html_safe : result
end

.json_escape(s) ⇒ Object

A utility method for escaping HTML entities in JSON strings using uXXXX JavaScript escape sequences for string literals:

json_escape('is a > 0 & a < 10?')
# => is a \u003E 0 \u0026 a \u003C 10?

Note that after this operation is performed the output is not valid JSON. In particular double quotes are removed:

json_escape('{"name":"john","created_at":"2010-04-28T01:39:31Z","id":1}')
# => {name:john,created_at:2010-04-28T01:39:31Z,id:1}

# File 'lib/active_support/core_ext/string/output_safety.rb', line 62

def json_escape(s)
  result = s.to_s.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
  s.html_safe? ? result.html_safe : result
end