I offer three suggestions why this is a good idea:
- The syntax is cleaner. It can avoid a lot of .html_safe and raw in
your views. I especially like the conciseness of <%=== '<b>Alert</b>'
if level<0 %> better then the alternative with .html_safe.
The only concern I have is that the syntax here has subtly different
isn't the same. In erubis strings get escaped irrespective of whether
they've been escaped before, in rails it's an idempotent escaping
function so <%= h(x) and <%= x are identical.
So if we override these additional operators we'll be giving them our
own meaning, not increasing compatibility with erubis. Having said
that, they're completely broken now so I think this is probably a good
- It performs slightly better since it saves a method call and we can
concat a String directly instead of coercing everything to a
We actually used to do something similar, but it was removed in this commit:
Was added here:
Not sure whether that was intentional though.
- It re-enables the ability of Erubis to behave like Erb in Rails 2
which allows for easier upgrading (You can pass :escape => true to a
new Erubis instance or glabally replace the <%= with <%==)
I don't actually consider this a feature to be honest. Yes it's
annoying having to mark strings as safe to prevent them being escaped,
but at least you notice it. Contrast this with the previous behaviour
where things 'mostly worked' until someone tried to attack your site.
It's annoying and fiddly, but compared to the alternative situation
where a single missing h can mean you give away root access to your
servers and all your customer's passwords, I think the pain is
It's currently a monkey patch but if there is a chance of this being
accepted I can turn it into a proper patch with tests. Comments
I like the idea of making <%== work as a synonym for <%= raw, upload a
proper patch for it and I'll take a look.