How to HTML encode/escape a string? Is there a built-in?

html ruby ruby-on-rails encode escaping

I have an untrusted string that I want to show as text in an HTML page. I need to escape the chars '<' and '&' as HTML entities. The less fuss the better.

I'm using UTF8 and don't need other entities for accented letters.

Is there a built-in function in Ruby or Rails, or should I roll my own?


Checkout the Ruby CGI class. There are methods to encode and decode HTML as well as URLs.

CGI::escapeHTML('Usage: foo "bar" <baz>')
# => "Usage: foo &quot;bar&quot; &lt;baz&gt;"

The h helper method:

<%=h "<p> will be preserved" %>

In Ruby on Rails 3 HTML will be escaped by default.

For non-escaped strings use:

<%= raw "<p>hello world!</p>" %>

ERB::Util.html_escape can be used anywhere. It is available without using require in Rails.


An addition to Christopher Bradford's answer to use the HTML escaping anywhere, since most people don't use CGI nowadays, you can also use Rack:

require 'rack/utils'
Rack::Utils.escape_html('Usage: foo "bar" <baz>')

Related

Get last record in a queryset
pip installation /usr/local/opt/python/bin/python2.7: bad interpreter: No such file or directory
Ruby: Merging variables in to a string
CollectionView sizeForItemAtIndexPath never called
Better way to convert file sizes in Python [closed]
Validate email address in Dart? [duplicate]
Clear text in EditText when entered [duplicate]
Authentication issue when debugging in VS2013 - iis express
Location of the mongodb database on mac
grunt: command not found when running from terminal
Creating a shadow copy using the "Backup" context in a PowerShell
MbUnit under Linux, used within an F# project?