Application Helper Problem

11155 · January 30, 2011, 6:40pm

Hello, I'm trying to follow a book (www.RailsSpace.com). The book was made with an older version of Rails, but I'm using Rails 3. I've got a snippet of code in my application helper that is supposed to add a text field... It does, but it comes out as escaped TEXT on the webpage. Here is my helper method:

def text_field_for(form, field, size=HTML_TEXT_FIELD_SIZE, maxlength=DB_STRING_MAX_LENGTH) label = content_tag("label", "#{field.humanize}:", :for => field) form_field = form.text_field field, :size => size, :maxlength => maxlength content_tag("div", "#{label} #{form_field}", :class => "form_row") end

Then the ERB: <%= text_field_for form, "first_name" %>

...and finally when it's rendered: <label for="first_name">First name:</label> <input id="spec_first_name" maxlength="255" name="spec[first_name]" size="15" type="text" value="" />

...which looks right, but it's escaped HTML text for some reason. Any know why?

Thanks, - Jeff Miller

Frederick_Cheung · January 30, 2011, 6:49pm

Hello, I'm trying to follow a book (www.RailsSpace.com). The book was made with an older version of Rails, but I'm using Rails 3. I've got a snippet of code in my application helper that is supposed to add a text field... It does, but it comes out as escaped TEXT on the webpage. Here is my helper method:

def text_field_for(form, field, size=HTML_TEXT_FIELD_SIZE, maxlength=DB_STRING_MAX_LENGTH) label = content_tag("label", "#{field.humanize}:", :for => field) form_field = form.text_field field, :size => size, :maxlength => maxlength content_tag("div", "#{label} #{form_field}", :class => "form_row") end

Then the ERB: <%= text_field_for form, "first_name" %>

...and finally when it's rendered: <label for="first_name">First name:</label> <input id="spec_first_name" maxlength="255" name="spec[first_name]" size="15" type="text" value="" />

...which looks right, but it's escaped HTML text for some reason. Any know why?

Rails now has XSS protection built in. You need to tell rails that the string you've constructed ("#{label} #{form_field}") is safe. One way of doing this is calling html_safe! on it

Fred

11155 · January 30, 2011, 7:05pm

... content_tag("div", "#{label} #{form_field}".html_safe!, :class => "form_row") ...

gives me the error: You can't call html_safe! on a String.

Obviously I'm doing this wrong... where should I place html_safe! ?

Thanks, - Jeff Miller

11155 · January 30, 2011, 7:33pm

Ah! I got it. Thanks for pointing me in the right direction!

rab · January 30, 2011, 7:36pm

It's just .html_safe (no ! on it)

-Rob

Rob Biedenharn Rob@AgileConsultingLLC.com http://AgileConsultingLLC.com/ rab@GaslightSoftware.com http://GaslightSoftware.com/

Topic		Replies	Views
Problem: Form Helper HTML Command Escaping rubyonrails-core	3	171	June 9, 2010
Helper in other helper rubyonrails-talk	0	73	August 25, 2007
Help displaying text rubyonrails-talk	2	118	January 28, 2013
Rails 3 safe strings rubyonrails-talk	1	132	August 9, 2010
text_area_tag not escaping content by default rubyonrails-talk	1	164	February 19, 2009

Application Helper Problem

Related topics

More Resources