html escape. It's a method that converts things like < and > into numerical character references so that rendering won't break your html.

html 转义。这是一种将 < 和 > 之类的内容转换为数字字符引用的方法，以便渲染不会破坏您的 html。

<%=his actually 2 things happening. You're opening an erb tag (<%=) and calling the Rails method hto escape all symbols.

<%=h实际上是发生了两件事。您正在打开一个 erb 标记 ( <%=) 并调用 Rails 方法h来转义所有符号。

These two calls are equivalent:

这两个调用是等价的：

<%=h person.first_name %>
<%= h(person.first_name) %>

The hmethod is commonly used to escape HTML and Javascript from user-input forms.

该h方法通常用于从用户输入表单中转义 HTML 和 Javascript。

his a method alias for html_escapefrom the ERB::Utilclass.

h是html_escape来自ERB::Util类的方法别名。

There is also a method in Rack to escape HTML Rack::Utils.escape_htmlin case you are in Metal and want to escape some HTML.

Rack::Utils.escape_html如果您在 Metal 中并想转义某些 HTML ，Rack 中还有一种方法可以转义 HTML。

Way late to the party but I'm adding a further explanation to what html_escapeis doing to hopefully help other noobs like myself understand what's happening. Rails 3 and later automatically escape all output now and so there are much fewer situations where html_escapeaka h()will be needed. The most notable of which is when you intend to use the html_safemethod when building links with html in a presenter class etc. For example:

参加聚会已经很晚了，但我正在对html_escape正在做的事情做进一步的解释，希望能帮助像我这样的其他菜鸟了解正在发生的事情。Rails 3 和更高版本现在会自动转义所有输出，因此需要html_escapeaka的情况要少得多h()。其中最值得注意的是当您打算html_safe在演示者类等中使用 html 构建链接时使用该方法。例如：

#some_view.html.erb
<span><%= @user.name %></span>  #This is 100% fine and will be automatically escaped by Rails 3+
#Output =>  <span>Brian Kunzig</span>

#Now say we want a link with html that we need preserved!  OMG WHAT ARE DO??
<%=link_to "<span><i class='fa fa-user'></i>#{@user.name}</span>".html_safe  #DANGER!!!

The link above can cause serious problems and open you up to all sorts of xss (cross-site scripting) attacks. The most simple example, if a user saved their name as "<script>alert('omg');</script>"and you used html_safeon it, it will cause any page rendering their supposed name to get an alert saying 'omg'! This is a major problem. To avoid this do:

上面的链接可能会导致严重的问题，并使您面临各种 xss（跨站点脚本）攻击。最简单的例子，如果用户将他们的名字保存为 as"<script>alert('omg');</script>"并且你html_safe在上面使用了它，它会导致任何呈现他们假定名字的页面收到一个警告，说“omg”！这是一个主要问题。为避免这种情况，请执行以下操作：

<%=link_to "<span><i class='fa fa-user'></i>#{h(@user.name)}</span>".html_safe #Winning!

By escaping the potentially tainted data supplied by a user we're homefree!

通过转义用户提供的潜在污染数据，我们无家可归！

h is just alias for html_escape. It is a utility method commonly used to escape html and javascript from user input forms. It converts special charactes into numerical character references so that rendering won't break your html.

h 只是 html_escape 的别名。它是一种常用的实用方法，用于从用户输入表单中转义 html 和 javascript。它将特殊字符转换为数字字符引用，以便渲染不会破坏您的 html。

For example having

例如有

<%= h "<p>Hello World</p>" %>  

will output

会输出

<p>Hello World</p>

as text to view, paragraph won't be applied. it wil be encoded as

作为要查看的文本，将不应用段落。它将被编码为

<p>Hello World</p>.