by the way, sanitize and strip_tags work as follows: <div id="divForS"></div> <div id="divForT"></div>
<script type="text/javascript"> var v = 1; var s = <%= sanitize(@s).to_json %>; var t = <%= strip_tags(@s).to_json %>; document.getElementById('divForS').innerHTML = s + v; document.getElementById('divForT').innerHTML = t + v; </script> the HTML generated is: var s = "Bill Gates's dog said \"whoof whoof\" and \n \074b\076ran\074/b\076 <script\076 alert('hi');v=2; </script\076 away."; var t = "Bill Gates's dog said \"whoof whoof\" and \n ran alert('hi');v=2; away."; and the web browser shows it as on the screen: Bill Gates's dog said "whoof whoof" and ran <script> alert('hi');v=2; </script> away.1 Bill Gates's dog said "whoof whoof" and ran alert('hi');v=2; away.1 one thing i don't understand is that if i remove the sanitize function, the alert will not get called, and v won't be set to 2, so the line for innerHTML = t + v will still show v as 1. I thought the script part will get executed? Or is it a rule that it won't be executed and in that case, we don't need to use h, sanitize, or strip_tags to prevent cross-site scripting (XSS) if we set the value into innerHTML? So in that case, s.to_json is good enough? (unless if some browser actually execute them, and make XSS possible). thanks. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---