Challenge 3: Escaping vs raw — Solution
<%= @bio %>
<%= raw(@bio) %>
# How each renders in the browser, given @bio = "Bold claim":
#
# <%= @bio %> renders as literal, visible text on the page:
# Bold claim
# The angle brackets are escaped to HTML entities (<b>) internally,
# so the browser displays the tags themselves as plain text rather than
# interpreting them -- nothing is bolded, the user sees the raw markup
# characters.
#
# <%= raw(@bio) %> renders as actual, interpreted HTML:
# Bold claim
# with "Bold" genuinely bold, because raw() tells Rails to skip escaping
# entirely and send the string straight to the browser as real markup.
#
# Which to use for genuinely untrusted, user-submitted content: <%= %>
# (plain, escaped) -- always. raw() should only ever be used for content
# you, the developer, generated or fully trust (values baked into the
# app), never for anything a user typed into a form. Using raw() on
# user-submitted content is exactly the XSS vulnerability the completed
# XSS security course covered -- a user could submit
# "" instead of "Bold" and have it execute in
# every other visitor's browser.
=begin
Notes:
- This challenge deliberately uses safe example content ("Bold
claim") to demonstrate the rendering difference clearly, but the
chapter's real point is about untrusted input -- the same raw() call
applied to a malicious