Rails string formatting

Hi,

I have a helper that include JS file contents into my view (for per-
view JS injections).

For some reason (render :file => "inject/#{filename}.js") %
[ "foo" ]
combined with string formatting, assuming there's a replacement
pattern %s in {filename}.js, replaces all double quotes that were met
in {filename}.js to "

It doesn't escape single quotes, and doesn't even escape double quotes
when using no replacement pattern.

I'm also using haml concat, but I just covered it with a spec, and
everything looks nice, so it's apparently not a haml bug:
    assert_equal("foo \"foobar\" bar\n", render("- haml_concat('foo \\
\"%s\\\" bar' % [ \"foobar\" ])"))

And it's not pure Ruby issue, which I checked too.

Is there some mechanism in Rails that may force symbols to be HTML-
encoded in case of replacement? It may also be a bug.
Thank you!

Alex P wrote in post #961467:

Hi,

I have a helper that include JS file contents into my view (for per-
view JS injections).

Don't ever do that! JS does not belong in your HTML.

For some reason (render :file => "inject/#{filename}.js") %
[ "foo" ]
combined with string formatting, assuming there's a replacement
pattern %s in {filename}.js, replaces all double quotes that were met
in {filename}.js to "

It doesn't escape single quotes, and doesn't even escape double quotes
when using no replacement pattern.

That is correct HTML escaping.

[...]

Is there some mechanism in Rails that may force symbols to be HTML-
encoded in case of replacement? It may also be a bug.
Thank you!

Rails 3 HTML-escapes strings by default. You can turn it off, or
declare a particular string as safe, but in this case the better
solution would be to fix your design problem: put your JS and HTML in
separate files.

Best