Use either:
html_escape(someStringToBeEscaped)
Or the shorthand:
h(someStringToBeEscaped)
URL encode
url_encode(someStringToBeEscaped)
Or the shorthand:
u(someStringToBeEscaped)
Question: Is there anyway to automatically escape all rendered HTML without having to explicitly call html_escape?
Answer(or at least, one of many possible answers): It should be fairly simple, but I don’t think you’d want to. That would result in the readers just seeing raw HTML (as if they had chosen “view source”).
I think you meant to ask ”Is there anyway to automatically escape all _HTML without having to explicitly call html_escape?” but I don’t know what you want in the blank. “User entered”? “SQL fields embedded in”? “tainted”?
Suggestion: Perhaps they’re meaning to ask if there is a way of having all <%= %> tags automatically escaping HTML, either by default or by specifying a one-off setting. I would be in favour of this. The h() would be more user-friendly as a way of specifying you do not want to escape HTML.
That would be a terrible idea as it would pretty much preclude you from running any helper functions.
Another idea__: The above suggestion does make a point. It could be an idea to have e.g. <- for escaped text and <= for unescaped.
If you’d like to escape HTML from someplace other than a view, ERB::Util.h("foo")