问题
I found here the following syntax:
<%=h @person.first_name %>
What does the h means ?
回答1:
It's for escaping the output of the tag to avoid cross-site-scripting. In rails 3, it's been changed to the default for a string (so rather than saying escape this string, you say, this is a safe string).
http://api.rubyonrails.org/classes/ERB/Util.html#method-c-h
回答2:
h is alias for html_escape method in Rails.
If you do not escape the text using h , then someone can write javascript there and it will get executed when you render the page.
So if you're not sure the data you're displaying is absolutely safe, run it through a filter that escapes HTML tag characters.
来源:https://stackoverflow.com/questions/4448860/what-does-h-means-in-rails