Help on Rails3: html_safe don't unescape

rubyonrails-talk
1

I'm upgrading my CMS app to rails 3, but some parts just don't get unescaped :-(:

From application.html.erb:

        <% for article in topplinker %>           <% nr = nr + 1 -%>           <%= text2html(article.ingress, article.cloth).html_safe %> # <----- Here it is!           <% if defined?(session[:noruser]) -%>             <%if authorized_to?(:controller => 'articles', :action => 'edit')               linkon = 1 %>               <span class="editmeny">                 <%= link_to "Edit", :controller => 'articles', :action => 'edit', :id => article.id %>               </span>             <% end %>           <% end -%>

returns the following unescaped text:

<div class="toppmenylinje1"> <h2 class="skjultstruktur">Hovedmeny</h2> <ul> <li class="first" id="tm1"><a href="/">Forside</a></li> <li id="tm2"><a href="/nyheter">Nyheter</a></li> <li id="tm3"><a href="/ organisasjon">Organisasjon</a></li> <li id="tm4"><a href="/ ressurser">Ressurser</a></li> </ul> </div> <div class="toppmenylinje2"> <h2 class="skjultstruktur">Meny for sentralt</ h2> <ul> <li class="first"><a href="/sentralt/view/13305">Hva er rasisme?</a></li> <li><a href="/blimedlem">Bli medlem!</a></li> <li><a href="/Sentralt/60">Meninger</a></li> <li><a href="/ materiell">Materiell</a></li> <li><a href="/account/login" title="Logg inn på nettsiden">Logg inn</a></li> <li><a href="/ epost">E-post</a></li> <li><a href="Index of /start/view 12098">Kontakt oss</a></li> </ul> </div>

What do I do wrong?

2

Henrik wrote in post #949279:

I'm upgrading my CMS app to rails 3, but some parts just don't get unescaped :-(:

From application.html.erb:

        <% for article in topplinker %>           <% nr = nr + 1 -%>           <%= text2html(article.ingress, article.cloth).html_safe %> # <----- Here it is!

It's really difficult to know exactly what the problem is without seeing the code for text2html. You need to make sure the string generated inside of this method is marked html_safe in it's entirety. It's most likely too late to call html_safe where you're showing here. As a rule of thumb html_safe is generally used inside of a helper method, whereas the "raw" method is generally used inside the view template.

Example:

<%=raw "<p>My HTML string I want displayed unescaped.</p>" %>

Here's a pretty nice article that goes into this in depth. Be sure to read the section near the end about using html_safe inside helper methods.

http://asciicasts.com/episodes/204-xss-protection-in-rails-3