I'm writing a helper to generate the display of a product and its information as retrieved from the database. Several HTML tags are part of this.
As I'm building the string I want included in the HTML, Rails is automatically escaping the string - which prevents me from actually using the string I build. >h2< is *NOT* the same as <h2>.
How can I prevent Rails from doing this?
I'm writing a helper to generate the display of a product and its information as retrieved from the database. Several HTML tags are part of this.
As I'm building the string I want included in the HTML, Rails is automatically escaping the string - which prevents me from actually using the string I build. >h2< is *NOT* the same as <h2>.
How can I prevent Rails from doing this?
def my_helper "<h2>my unsafe string</h2>".html_safe! end
See Ruby on Rails — What's New in Edge Rails
-philip
Philip Hallstrom wrote:
def my_helper "<h2>my unsafe string</h2>".html_safe! end
I'm not running edge rails, I'm running Rails 2.3.8.
There is no html_safe! method defined, so this won't work.
def my_helper "<h2>my unsafe string</h2>".html_safe! end
I'm not running edge rails, I'm running Rails 2.3.8.
There is no html_safe! method defined, so this won't work.
Ah. Then look at activesupport/lib/active_support/core_ext/string/output_safety.rb
-philip
Michael Satterwhite wrote:
Philip Hallstrom wrote:
def my_helper "<h2>my unsafe string</h2>".html_safe! end
Or you can use the raw method in the view I think:
<%= raw my_helper %>
Sort of like the opposite of the old "h" method.
I'm not running edge rails, I'm running Rails 2.3.8.
There is no html_safe! method defined, so this won't work.
If you're not running Rails 3, and did not install the plugin for Rails 2.3.x that does the automatic escaping they you are escaping it somewhere, maybe not realizing it.
Are you sure you're not wrapping the result in an "h" method?
Philip Hallstrom wrote:
Ah. Then look at activesupport/lib/active_support/core_ext/string/output_safety.rb
OK, I'm looking at it. I must be dense, though - or I've got a BAD case of tunnel vision.
How do I STOP these from changing the string? I'm sure it's obvious ... but I'm not seeing it.
BTW: Thanks for pointing me at this.
---Michael
Robert Walker wrote:
Michael Satterwhite wrote:
Philip Hallstrom wrote:
def my_helper "<h2>my unsafe string</h2>".html_safe! end
Or you can use the raw method in the view I think:
THANK YOU! THANK YOU! THANK YOU! This works.
If you're not running Rails 3, and did not install the plugin for Rails 2.3.x that does the automatic escaping they you are escaping it somewhere, maybe not realizing it.
I don't know of a plugin for that installed ... and I do the installing on this system. The ' h "xxx" was a good idea, but I wasn't doing it.
Michael Satterwhite wrote:
Philip Hallstrom wrote:
Ah. Then look at activesupport/lib/active_support/core_ext/string/output_safety.rb
OK, I'm looking at it. I must be dense, though - or I've got a BAD case of tunnel vision.
How do I STOP these from changing the string? I'm sure it's obvious ... but I'm not seeing it.
BTW: Thanks for pointing me at this.
---Michael
some_string = "<script>alert("Gotcha!")</script>"
<%= h some_string %> or <%= html_escape some_string %> => <script>alert("Gotcha!")</script>
<%= some_string %> => [[ javascript alert dialog => Gotcha! ]]
Robert Walker wrote:
some_string = "<script>alert("Gotcha!")</script>"
Ignore my still syntax error above with the nested double quotes. Single quote the string in the JS part or fix however you like.
<%= h some_string %> or <%= html_escape some_string %> => <script>alert("Gotcha!")</script>
<%= some_string %> => [[ javascript alert dialog => Gotcha! ]]
Well, this is quite interesting. The above actually DID NOT work under Rails 2.3.8 for me. Same code escaped properly, and as expected, running under Rails 2.3.5.
In my test the JS dialog was display whether h was used or not. Not good... Maybe on second though I'll skip Rails 2.3.8 altogether and go straight to Rails 3.0.