Ruby variable that embeds html tags

rubyonrails-talk
1

This seems very simple, but I can't quite get it. Probably because I'm just starting out with RoR.

My view has a slew of labels and text fields; many are "required":

<%= f.text_field :screen_name %> <span class="required_field">Required field</span>

(The "required_field" class turns the text red and smaller.) I'd like to not have everything between <span> and </span> sitting at the end of every required line. I'd like instead to use a variable:

<% req = "<span class='required_field'>Required field</span>" %>

And then have <%= f.text_field :screen_name %> <%= req %>

Shorter and DRYer. But when I do that, I get my HTML printed to the screen, not interpreted.

Help appreciated. Thanks! Jacob

2

This seems very simple, but I can't quite get it. Probably because I'm just starting out with RoR.

My view has a slew of labels and text fields; many are "required":

<%= f.text_field :screen_name %> <span class="required_field">Required field</span>

(The "required_field" class turns the text red and smaller.) I'd like to not have everything between <span> and </span> sitting at the end of every required line. I'd like instead to use a variable:

<% req = "<span class='required_field'>Required field</span>" %>

And then have <%= f.text_field :screen_name %> <%= req %>

By default Rails will assume that req may contain malicious text (such as some evil js for example) and will escape it so that the raw html appears on the page. Since you know that req is safe to output directly you can either use <%= req.html_safe %> or <%= req = "<span .... >".html_safe %>

On a separate point I would use a view helper method rather than defining req inline however.

Colin

3

Colin Law wrote in post #1011094:

of every required line. I'd like instead to use a variable:

<% req = "<span class='required_field'>Required field</span>" %>

And then have <%= f.text_field :screen_name %> <%= req %>

By default Rails will assume that req may contain malicious text (such as some evil js for example) and will escape it so that the raw html appears on the page. Since you know that req is safe to output directly you can either use <%= req.html_safe %> or <%= req = "<span .... >".html_safe %>

On a separate point I would use a view helper method rather than defining req inline however.

From what I gather from the following it might be slightly faster to use <%= raw req %> rather than using html_safe directly when inside a view template:

If a plain String is passed into a <%= %>, Rails always escapes it

If a SafeBuffer is passed into a <%= %>, Rails does not escape it. To get a SafeBuffer from a String, call html_safe on it. The XSS system has a very small performance impact on this case, limited to a guard calling the html_safe? method

If you use the raw helper in a <%= %>, Rails detects it at compile-time of the template, resulting in zero performance impact from the XSS system on that concatenation

Rails does not escape any part of a template that is not in an ERB tag. Because Rails handles this at template compile-time, this results in zero performance impact from the XSS system on these concatenations

4

That is useful to know, thanks Robert.

Colin