Ampersand Heartburn

Greetings all.

I’m using the Microsoft “NorthWind Traders” database “orders” table as
test data for the Rico LiveGrid JavaScript.

The problem I’m noticing is that some of the records in the “ShipName”
field contain ampersands – which for some reason are not being escaped
by Rails.

Rails does in fact automatically escape all of the other characters like
apostrophes’ that might otherwise cause problems. However it returns
ampersands as ampersands with no escape character or other modification
and this of course does not play well with the LiveGrid JavaScript.

For reference, I’m using MySQL and the following is a test query (that
works on both the command line and in Rails) that will return record 24
that should return a record containing the ShipName “Split Rail Beer &
Ale”:

@orders = Order.find( :all,
:select => "id, ShipName ",
:conditions => “id = 24”)
)

Is there a way in Rails to force the query to return an escaped
ampersand? I looked through both the Rails and MySQL documentation and
did not see anything that might solve this problem.

Thanks,

Doug

Doug M. wrote:

Greetings all.

I’m using the Microsoft “NorthWind Traders” database “orders” table as
test data for the Rico LiveGrid JavaScript.

The problem I’m noticing is that some of the records in the “ShipName”
field contain ampersands – which for some reason are not being escaped
by Rails.

Rails does in fact automatically escape all of the other characters like
apostrophes’ that might otherwise cause problems. However it returns
ampersands as ampersands with no escape character or other modification
and this of course does not play well with the LiveGrid JavaScript.

For reference, I’m using MySQL and the following is a test query (that
works on both the command line and in Rails) that will return record 24
that should return a record containing the ShipName “Split Rail Beer &
Ale”:

@orders = Order.find( :all,
:select => "id, ShipName ",
:conditions => “id = 24”)
)

Is there a way in Rails to force the query to return an escaped
ampersand? I looked through both the Rails and MySQL documentation and
did not see anything that might solve this problem.

Thanks,

Doug

Here is a work-around/solution I came up with to escape selected
characters (in this case – an ampersand – but could be anything).
Anyone have any better ideas, please share. Thanks!

for order in @orders
order.attributes.each{|key, value|
value = value.to_s.sub(/[&]/, “&”)
order[key] = value
}
end

Doug

Doug M. wrote:

Doug M. wrote:

Greetings all.

I’m using the Microsoft “NorthWind Traders” database “orders” table as
test data for the Rico LiveGrid JavaScript.

The problem I’m noticing is that some of the records in the “ShipName”
field contain ampersands – which for some reason are not being escaped
by Rails.

Rails does in fact automatically escape all of the other characters like
apostrophes’ that might otherwise cause problems. However it returns
ampersands as ampersands with no escape character or other modification
and this of course does not play well with the LiveGrid JavaScript.

For reference, I’m using MySQL and the following is a test query (that
works on both the command line and in Rails) that will return record 24
that should return a record containing the ShipName “Split Rail Beer &
Ale”:

@orders = Order.find( :all,
:select => "id, ShipName ",
:conditions => “id = 24”)
)

Is there a way in Rails to force the query to return an escaped
ampersand? I looked through both the Rails and MySQL documentation and
did not see anything that might solve this problem.

Thanks,

Doug

Here is a work-around/solution I came up with to escape selected
characters (in this case – an ampersand – but could be anything).
Anyone have any better ideas, please share. Thanks!

for order in @orders
order.attributes.each{|key, value|
value = value.to_s.sub(/[&]/, “&”)
order[key] = value
}
end

Doug

This morning Chris M. sent an email with the following solution which is
much better than the above:

ActiveRecord returns the data in the database ‘as-is’. It doesn’t
assume that you’re going to be outputting it as part of an HTML page.
Escaping apostrophes as data goes into the database is a SQL-
related issue, which is why ActiveRecord does it automatically.
Escaping ampersands in data coming out of the database is an HTML
encoding issue, which is not ActiveRecord’s concern.

The standard approach is to do this encoding in your view, using the h
() function:

<%= h order.ship_name %>

This will encode &, < and > into their appropriate HTML entities.

You could write some kind of wrapper function in your model to do
this encoding, but again this is a presentation concern not a model
concern, so I wouldn’t recommend it.

Chris

Thanks Chris!

On Aug 10, 2006, at 1:40 PM, Doug M. wrote:

escaped
(that

characters (in this case – an ampersand – but could be anything).
Anyone have any better ideas, please share. Thanks!

for order in @orders
order.attributes.each{|key, value|
value = value.to_s.sub(/[&]/, “&”)
order[key] = value
}
end

Heavens, no!

In the view, just use:

<%= h order.attribute %>

h does HTML escaping.


– Tom M.

On 10 Aug 2006, at 9:40 pm, Doug M. wrote:

modification
and this of course does not play well with the LiveGrid JavaScript.

ActiveRecord returns the data in the database ‘as-is’. It doesn’t
assume that you’re going to be outputting it as part of an HTML page.
Escaping apostrophes as data goes into the database is a SQL-
related issue, which is why ActiveRecord does it automatically.
Escaping ampersands in data coming out of the database is an HTML
encoding issue, which is not ActiveRecord’s concern.

The standard approach is to do this encoding in your view, using the h
() function:

<%= h order.ship_name %>

This will encode &, < and > into their appropriate HTML entities.

You could write some kind of wrapper function in your model to do
this encoding, but again this is a presentation concern not a model
concern, so I wouldn’t recommend it.

Chris

We are looking for a NYC based programmer to work on the server side
of an online
newspaper. This project is in rails, but we want someone who is a
ruby developer first, and
and a rails developer second.

This project is for a site that actually does something. It’s not a
sneaker ad. You will have a
sense of acomplishement…

Only friendly humans who can show previous work and code samples need
apply. Listener is
based in NYC and we need someone who can work onsite a few days a week.

To learn about Listener goto http://listenerinteractive.com

Best,
Jean-Charles

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs