Topic: html_escape in model

I've gotten tired to rembering to h() everything that's a user input (as almost our whole app is), so is there a way to call html_escape from the model as a before filter??  I know how to do the filters, but how do you call a helper from a model??


Re: html_escape in model

I don't recommend doing this in a before filter in the model because it will escape everything on each save resulting in multiple escapes. Instead I would do this in the controller. Something like:

params.values.each { |v| v.replace(CGI::escapeHTML(v) }

This should escape all of the entered parameters (assuming they are all strings, you may want to add that as a condition).

Last edited by ryanb (2006-11-14 19:44:16)

Railscasts - Free Ruby on Rails Screencasts