I have the following code:
<%= link_to(image_tag(...)) %>
The problem is that Rails sanitizes the images so it gets rendered as:
<img src=... />
I could use html_safe, but that's painful and makes my code less readable.
In Rails2 I could declare a whitelist such as:
config.action_view.sanitized_allowed_tags = 'a', 'blockquote', 'img', ...
But it doesn't seem to work anymore. Did I miss anything in the transition from Rails 2 to 3?
Agile Web development With Rails 3 p.91 awkwardly addresses the issue by using strip_tags() and skipping the explanation about how to let safe tags through.
The problem is that Rails sanitizes the images so it gets rendered as:
<img src=… />
I could use html_safe, but that’s painful and makes my code less readable.
I do not have an actual solution for you but maybe these links are helpful:
Oh ok! I did not understand that now I had to use sanitize to kick the whitelist in.
Thanks.
I don't understand the question.
In Rails 3 link_to does NOT escape the HTML produced by image_tag, because the strings returned by these builtin helpers are marked as html_safe:
∵ cat app/controllers/test_controller.rb class TestController < ApplicationController def index render :inline => '<%= link_to image_tag("foo") %>' end end
∵ curl http://localhost:3000/test <a href="/test"><img alt="Foo" src="/images/foo" /></a>
Why is your application escaping the image tag?
Why is your application escaping the image tag?
Because I do something such as:
<%= link_to "#{image_tag(cart.png)} Cart", cart_url %>
So really the image_tag is inside a string, hence its sanitization.
I see.
I would write a helper link_to_cart whose implementation uses the raw helper. That's the standard way to address this in Rails 3.