Rails string formatting

Hi,

I have a helper that include JS file contents into my view (for per- view JS injections).

For some reason (render :file => "inject/#{filename}.js") % [ "foo" ] combined with string formatting, assuming there's a replacement pattern %s in {filename}.js, replaces all double quotes that were met in {filename}.js to "

It doesn't escape single quotes, and doesn't even escape double quotes when using no replacement pattern.

I'm also using haml concat, but I just covered it with a spec, and everything looks nice, so it's apparently not a haml bug:     assert_equal("foo \"foobar\" bar\n", render("- haml_concat('foo \\ \"%s\\\" bar' % [ \"foobar\" ])"))

And it's not pure Ruby issue, which I checked too.

Is there some mechanism in Rails that may force symbols to be HTML- encoded in case of replacement? It may also be a bug. Thank you!

Alex P wrote in post #961467:

Hi,

I have a helper that include JS file contents into my view (for per- view JS injections).

Don't ever do that! JS does not belong in your HTML.

For some reason (render :file => "inject/#{filename}.js") % [ "foo" ] combined with string formatting, assuming there's a replacement pattern %s in {filename}.js, replaces all double quotes that were met in {filename}.js to "

It doesn't escape single quotes, and doesn't even escape double quotes when using no replacement pattern.

That is correct HTML escaping.

[...]

Is there some mechanism in Rails that may force symbols to be HTML- encoded in case of replacement? It may also be a bug. Thank you!

Rails 3 HTML-escapes strings by default. You can turn it off, or declare a particular string as safe, but in this case the better solution would be to fix your design problem: put your JS and HTML in separate files.

Best