I''m writing a helper to generate the display of a product and its information as retrieved from the database. Several HTML tags are part of this. As I''m building the string I want included in the HTML, Rails is automatically escaping the string - which prevents me from actually using the string I build. >h2< is *NOT* the same as <h2>. How can I prevent Rails from doing this? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
> I''m writing a helper to generate the display of a product and its > information as retrieved from the database. Several HTML tags are part > of this. > > As I''m building the string I want included in the HTML, Rails is > automatically escaping the string - which prevents me from actually > using the string I build. >h2< is *NOT* the same as <h2>. > > How can I prevent Rails from doing this?def my_helper "<h2>my unsafe string</h2>".html_safe! end See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails -philip -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Michael Satterwhite
2010-Aug-03 18:36 UTC
Re: Prevent Helper Automatically Escaping String
Philip Hallstrom wrote:> def my_helper > "<h2>my unsafe string</h2>".html_safe! > end > > See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-railsI''m not running edge rails, I''m running Rails 2.3.8. There is no html_safe! method defined, so this won''t work. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Philip Hallstrom
2010-Aug-03 18:41 UTC
Re: Re: Prevent Helper Automatically Escaping String
>> def my_helper >> "<h2>my unsafe string</h2>".html_safe! >> end >> >> See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails > > I''m not running edge rails, I''m running Rails 2.3.8. > > There is no html_safe! method defined, so this won''t work.Ah. Then look at activesupport/lib/active_support/core_ext/string/output_safety.rb -philip -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Michael Satterwhite wrote:> Philip Hallstrom wrote: > >> def my_helper >> "<h2>my unsafe string</h2>".html_safe! >> end >> >> See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-railsOr you can use the raw method in the view I think: <%= raw my_helper %> Sort of like the opposite of the old "h" method.> I''m not running edge rails, I''m running Rails 2.3.8. > > There is no html_safe! method defined, so this won''t work.If you''re not running Rails 3, and did not install the plugin for Rails 2.3.x that does the automatic escaping they you are escaping it somewhere, maybe not realizing it. Are you sure you''re not wrapping the result in an "h" method? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Michael Satterwhite
2010-Aug-03 18:49 UTC
Re: Re: Prevent Helper Automatically Escaping String
Philip Hallstrom wrote:> Ah. Then look at > activesupport/lib/active_support/core_ext/string/output_safety.rbOK, I''m looking at it. I must be dense, though - or I''ve got a BAD case of tunnel vision. How do I STOP these from changing the string? I''m sure it''s obvious ... but I''m not seeing it. BTW: Thanks for pointing me at this. ---Michael -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Michael Satterwhite
2010-Aug-03 19:00 UTC
Re: Prevent Helper Automatically Escaping String
Robert Walker wrote:> Michael Satterwhite wrote: >> Philip Hallstrom wrote: >> >>> def my_helper >>> "<h2>my unsafe string</h2>".html_safe! >>> end >>> >>> See http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails > > Or you can use the raw method in the view I think:THANK YOU! THANK YOU! THANK YOU! This works.> If you''re not running Rails 3, and did not install the plugin for Rails > 2.3.x that does the automatic escaping they you are escaping it > somewhere, maybe not realizing it.I don''t know of a plugin for that installed ... and I do the installing on this system. The '' h "xxx" was a good idea, but I wasn''t doing it. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Michael Satterwhite wrote:> Philip Hallstrom wrote: > >> Ah. Then look at >> activesupport/lib/active_support/core_ext/string/output_safety.rb > > OK, I''m looking at it. I must be dense, though - or I''ve got a BAD case > of tunnel vision. > > How do I STOP these from changing the string? I''m sure it''s obvious ... > but I''m not seeing it. > > BTW: Thanks for pointing me at this. > > ---Michaelsome_string = "<script>alert("Gotcha!")</script>" <%= h some_string %> or <%= html_escape some_string %> => <script>alert("Gotcha!")</script> <%= some_string %> => [[ javascript alert dialog => Gotcha! ]] -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Robert Walker wrote:> some_string = "<script>alert("Gotcha!")</script>"Ignore my still syntax error above with the nested double quotes. Single quote the string in the JS part or fix however you like.> <%= h some_string %> or <%= html_escape some_string %> > => <script>alert("Gotcha!")</script> > > <%= some_string %> > => [[ javascript alert dialog => Gotcha! ]]Well, this is quite interesting. The above actually DID NOT work under Rails 2.3.8 for me. Same code escaped properly, and as expected, running under Rails 2.3.5. In my test the JS dialog was display whether h was used or not. Not good... Maybe on second though I''ll skip Rails 2.3.8 altogether and go straight to Rails 3.0. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.