This seems very simple, but I can''t quite get it. Probably because I''m just starting out with RoR. My view has a slew of labels and text fields; many are "required": <%= f.text_field :screen_name %> <span class="required_field">Required field</span> (The "required_field" class turns the text red and smaller.) I''d like to not have everything between <span> and </span> sitting at the end of every required line. I''d like instead to use a variable: <% req = "<span class=''required_field''>Required field</span>" %> And then have <%= f.text_field :screen_name %> <%= req %> Shorter and DRYer. But when I do that, I get my HTML printed to the screen, not interpreted. Help appreciated. Thanks! Jacob -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 15 July 2011 22:13, Jacob <jacobkosman-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> This seems very simple, but I can''t quite get it. Probably because I''m > just starting out with RoR. > > My view has a slew of labels and text fields; many are "required": > > <%= f.text_field :screen_name %> <span class="required_field">Required > field</span> > > (The "required_field" class turns the text red and smaller.) I''d like > to not have everything between <span> and </span> sitting at the end > of every required line. I''d like instead to use a variable: > > <% req = "<span class=''required_field''>Required field</span>" %> > > And then have > <%= f.text_field :screen_name %> <%= req %>By default Rails will assume that req may contain malicious text (such as some evil js for example) and will escape it so that the raw html appears on the page. Since you know that req is safe to output directly you can either use <%= req.html_safe %> or <%= req = "<span .... >".html_safe %> On a separate point I would use a view helper method rather than defining req inline however. Colin> > Shorter and DRYer. But when I do that, I get my HTML printed to the > screen, not interpreted. > > Help appreciated. Thanks! > Jacob-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Colin Law wrote in post #1011094:> On 15 July 2011 22:13, Jacob <jacobkosman-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> of every required line. I''d like instead to use a variable: >> >> <% req = "<span class=''required_field''>Required field</span>" %> >> >> And then have >> <%= f.text_field :screen_name %> <%= req %> > > By default Rails will assume that req may contain malicious text (such > as some evil js for example) and will escape it so that the raw html > appears on the page. Since you know that req is safe to output > directly you can either use <%= req.html_safe %> or <%= req = "<span > .... >".html_safe %> > > On a separate point I would use a view helper method rather than > defining req inline however.From what I gather from the following it might be slightly faster to use <%= raw req %> rather than using html_safe directly when inside a view template: If a plain String is passed into a <%= %>, Rails always escapes it If a SafeBuffer is passed into a <%= %>, Rails does not escape it. To get a SafeBuffer from a String, call html_safe on it. The XSS system has a very small performance impact on this case, limited to a guard calling the html_safe? method If you use the raw helper in a <%= %>, Rails detects it at compile-time of the template, resulting in zero performance impact from the XSS system on that concatenation Rails does not escape any part of a template that is not in an ERB tag. Because Rails handles this at template compile-time, this results in zero performance impact from the XSS system on these concatenations -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 18 July 2011 22:45, Robert Walker <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> Colin Law wrote in post #1011094: >> On 15 July 2011 22:13, Jacob <jacobkosman-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >>> of every required line. I''d like instead to use a variable: >>> >>> <% req = "<span class=''required_field''>Required field</span>" %> >>> >>> And then have >>> <%= f.text_field :screen_name %> <%= req %> >> >> By default Rails will assume that req may contain malicious text (such >> as some evil js for example) and will escape it so that the raw html >> appears on the page. Since you know that req is safe to output >> directly you can either use <%= req.html_safe %> or <%= req = "<span >> .... >".html_safe %> >> >> On a separate point I would use a view helper method rather than >> defining req inline however. > > From what I gather from the following it might be slightly faster to use > <%= raw req %> rather than using html_safe directly when inside a view > template: > > If a plain String is passed into a <%= %>, Rails always escapes it > > If a SafeBuffer is passed into a <%= %>, Rails does not escape it. To > get a SafeBuffer from a String, call html_safe on it. The XSS system has > a very small performance impact on this case, limited to a guard calling > the html_safe? method > > If you use the raw helper in a <%= %>, Rails detects it at compile-time > of the template, resulting in zero performance impact from the XSS > system on that concatenation > > Rails does not escape any part of a template that is not in an ERB tag. > Because Rails handles this at template compile-time, this results in > zero performance impact from the XSS system on these concatenationsThat is useful to know, thanks Robert. Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.