htmlspecialchars

• This function’s solution will only work within the context of the Rails framework.

  Escaping a string to be safe for output in HTML is done using the CGI.escapeHTML class method. Rails provides the h helper method as a convenient shortcut to this method within our views.

  PHP

  $result = htmlspecialchars('test "escaping" <characters>'); 
  var_export($result);
  // => "test &quot;escaping&quot; &lt;characters&gt;"

  Ruby

  require 'cgi'
   
  p CGI.escapeHTML('test "escaping" <characters>')
  # => "test &quot;escaping&quot; &lt;characters&gt;"

  Rails

  # In app/controllers/users_controller.rb
  class UsersController < ActionController::Base
    def show
      @user = User.find(params[:id])
    end
  end
   
  # In app/views/users/show.html.erb
  <p><%= h(@user.username) %></p>
   
  # or the equivalent and often preferable
  <p><%=h @user.username %></p>

  see also

  • htmlspecialchars_decode
  • strip_tags
  • htmlentities
  • nl2br

Looking for Rails or PHP web application development, integration, and training?

Rails for PHP is brought to you by Maintainable Software. Get custom web applications and personalized training from the authors of the book and website.