Help on Rails3: html_safe don't unescape

I’m upgrading my CMS app to rails 3, but some parts just don’t get
unescaped :-(:

From application.html.erb:

    <% for article in topplinker %>
      <% nr = nr + 1 -%>
      <%= text2html(article.ingress, article.cloth).html_safe %> #

<----- Here it is!
<% if defined?(session[:noruser]) -%>
<%if authorized_to?(:controller => ‘articles’, :action =>
‘edit’)
linkon = 1 %>

<%= link_to “Edit”, :controller => ‘articles’, :action
=> ‘edit’, :id => article.id %>

<% end %>
<% end -%>

returns the following unescaped text:

Hovedmeny

Meny for sentralt

What do I do wrong?

Henrik wrote in post #949279:

I’m upgrading my CMS app to rails 3, but some parts just don’t get
unescaped :-(:

From application.html.erb:

    <% for article in topplinker %>
      <% nr = nr + 1 -%>
      <%= text2html(article.ingress, article.cloth).html_safe %> #

<----- Here it is!

It’s really difficult to know exactly what the problem is without
seeing the code for text2html. You need to make sure the string
generated inside of this method is marked html_safe in it’s entirety.
It’s most likely too late to call html_safe where you’re showing here.
As a rule of thumb html_safe is generally used inside of a helper
method, whereas the “raw” method is generally used inside the view
template.

Example:

<%=raw “

My HTML string I want displayed unescaped.

” %>

Here’s a pretty nice article that goes into this in depth. Be sure to
read the section near the end about using html_safe inside helper
methods.

http://asciicasts.com/episodes/204-xss-protection-in-rails-3

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs