Wednesday, 20 October 2010

Rails 3 escapes every string in <%= %>, so some HTML/Javascript might not work

Rails 3 escapes every string in a <%= %> automatically, i.e. applying the h() helper to it, so there might be some trouble with some hard-coded text constants:
  1. HTML tags are visible instead of being parsed by the browser, i.e. <i>some text</i>, instead of just being in italic
  2. Some javascript code might break for very simple reasons. Consider generating JSON in script tag in an .html.erb file using the <%= %>. Well, the quotes will be converted to &quot;, even though the is not HTML, but JS.
There is a way around that particular problem: calling the method html_safe on string objects. Here is an example of it.
Also, this article, explaines it in greater depth: SafeBuffers and Rails 3.0

No comments:

Post a comment