[Rails3] Whitelist Rails 3 aggressive sanitizer

I have the following code:

<%= link_to(image_tag(...)) %>

The problem is that Rails sanitizes the images so it gets rendered as:

&lt;img src=... /&gt;

I could use html_safe, but that's painful and makes my code less
readable.

In Rails2 I could declare a whitelist such as:

config.action_view.sanitized_allowed_tags = 'a', 'blockquote', 'img',
...

But it doesn't seem to work anymore. Did I miss anything in the
transition from Rails 2 to 3?

Agile Web development With Rails 3 p.91 awkwardly addresses the issue by
using strip_tags() and skipping the explanation about how to let safe
tags through.

The problem is that Rails sanitizes the images so it gets rendered as:

<img src=… />

I could use html_safe, but that’s painful and makes my code less
readable.

I do not have an actual solution for you but maybe these links are helpful:
http://blog.plataformatec.com.br/tag/sanitize/
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html

Oh ok! I did not understand that now I had to use sanitize to kick the
whitelist in.

Thanks.

I don't understand the question.

In Rails 3 link_to does NOT escape the HTML produced by image_tag,
because the strings returned by these builtin helpers are marked as
html_safe:

    ∵ cat app/controllers/test_controller.rb
    class TestController < ApplicationController
      def index
        render :inline => '<%= link_to image_tag("foo") %>'
      end
    end

    ∵ curl http://localhost:3000/test
    <a href="/test"><img alt="Foo" src="/images/foo" /></a>

Why is your application escaping the image tag?

Why is your application escaping the image tag?

Because I do something such as:

<%= link_to "#{image_tag(cart.png)} Cart", cart_url %>

So really the image_tag is inside a string, hence its sanitization.

I see.

I would write a helper link_to_cart whose implementation uses the raw
helper. That's the standard way to address this in Rails 3.