Prevent Helper Automatically Escaping String

I'm writing a helper to generate the display of a product and its
information as retrieved from the database. Several HTML tags are part
of this.

As I'm building the string I want included in the HTML, Rails is
automatically escaping the string - which prevents me from actually
using the string I build. &gt;h2&lt; is *NOT* the same as <h2>.

How can I prevent Rails from doing this?

I'm writing a helper to generate the display of a product and its
information as retrieved from the database. Several HTML tags are part
of this.

As I'm building the string I want included in the HTML, Rails is
automatically escaping the string - which prevents me from actually
using the string I build. &gt;h2&lt; is *NOT* the same as <h2>.

How can I prevent Rails from doing this?

def my_helper
  "<h2>my unsafe string</h2>".html_safe!
end

See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails

-philip

Philip Hallstrom wrote:

def my_helper
  "<h2>my unsafe string</h2>".html_safe!
end

See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails

I'm not running edge rails, I'm running Rails 2.3.8.

There is no html_safe! method defined, so this won't work.

def my_helper
"<h2>my unsafe string</h2>".html_safe!
end

See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails

I'm not running edge rails, I'm running Rails 2.3.8.

There is no html_safe! method defined, so this won't work.

Ah. Then look at activesupport/lib/active_support/core_ext/string/output_safety.rb

-philip

Michael Satterwhite wrote:

Philip Hallstrom wrote:

def my_helper
  "<h2>my unsafe string</h2>".html_safe!
end

See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails

Or you can use the raw method in the view I think:

<%= raw my_helper %>

Sort of like the opposite of the old "h" method.

I'm not running edge rails, I'm running Rails 2.3.8.

There is no html_safe! method defined, so this won't work.

If you're not running Rails 3, and did not install the plugin for Rails
2.3.x that does the automatic escaping they you are escaping it
somewhere, maybe not realizing it.

Are you sure you're not wrapping the result in an "h" method?

Philip Hallstrom wrote:

Ah. Then look at
activesupport/lib/active_support/core_ext/string/output_safety.rb

OK, I'm looking at it. I must be dense, though - or I've got a BAD case
of tunnel vision.

How do I STOP these from changing the string? I'm sure it's obvious ...
but I'm not seeing it.

BTW: Thanks for pointing me at this.

---Michael

Robert Walker wrote:

Michael Satterwhite wrote:

Philip Hallstrom wrote:

def my_helper
  "<h2>my unsafe string</h2>".html_safe!
end

See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails

Or you can use the raw method in the view I think:

THANK YOU! THANK YOU! THANK YOU!
This works.

If you're not running Rails 3, and did not install the plugin for Rails
2.3.x that does the automatic escaping they you are escaping it
somewhere, maybe not realizing it.

I don't know of a plugin for that installed ... and I do the installing
on this system. The ' h "xxx" was a good idea, but I wasn't doing it.

Michael Satterwhite wrote:

Philip Hallstrom wrote:

Ah. Then look at
activesupport/lib/active_support/core_ext/string/output_safety.rb

OK, I'm looking at it. I must be dense, though - or I've got a BAD case
of tunnel vision.

How do I STOP these from changing the string? I'm sure it's obvious ...
but I'm not seeing it.

BTW: Thanks for pointing me at this.

---Michael

some_string = "<script>alert("Gotcha!")</script>"

<%= h some_string %> or <%= html_escape some_string %>
=> <script>alert("Gotcha!")</script>

<%= some_string %>
=> [[ javascript alert dialog => Gotcha! ]]

Robert Walker wrote:

some_string = "<script>alert("Gotcha!")</script>"

Ignore my still syntax error above with the nested double quotes. Single
quote the string in the JS part or fix however you like.

<%= h some_string %> or <%= html_escape some_string %>
=> <script>alert("Gotcha!")</script>

<%= some_string %>
=> [[ javascript alert dialog => Gotcha! ]]

Well, this is quite interesting. The above actually DID NOT work under
Rails 2.3.8 for me. Same code escaped properly, and as expected, running
under Rails 2.3.5.

In my test the JS dialog was display whether h was used or not. Not
good... Maybe on second though I'll skip Rails 2.3.8 altogether and go
straight to Rails 3.0.