[Rails3] Whitelist Rails 3 aggressive sanitizer

Rails
1

I have the following code:

<%= link_to(image_tag(…)) %>

The problem is that Rails sanitizes the images so it gets rendered as:

<img src=… />

I could use html_safe, but that’s painful and makes my code less
readable.

In Rails2 I could declare a whitelist such as:

config.action_view.sanitized_allowed_tags = ‘a’, ‘blockquote’, ‘img’,

But it doesn’t seem to work anymore. Did I miss anything in the
transition from Rails 2 to 3?

2

Agile Web development With Rails 3 p.91 awkwardly addresses the issue by
using strip_tags() and skipping the explanation about how to let safe
tags through.

3

Oh ok! I did not understand that now I had to use sanitize to kick the
whitelist in.

Thanks.

4

I don’t understand the question.

In Rails 3 link_to does NOT escape the HTML produced by image_tag,
because the strings returned by these builtin helpers are marked as
html_safe:

∵ cat app/controllers/test_controller.rb
class TestController < ApplicationController
  def index
    render :inline => '<%= link_to image_tag("foo") %>'
  end
end

∵ curl http://localhost:3000/test
<a href="/test"><img alt="Foo" src="/images/foo" /></a>

Why is your application escaping the image tag?

5

The problem is that Rails sanitizes the images so it gets rendered as:

<img src=… />

I could use html_safe, but that’s painful and makes my code less
readable.

I do not have an actual solution for you but maybe these links are
helpful:

6

On Mon, Feb 14, 2011 at 9:37 AM, Fernando P. [email protected]
wrote:

Why is your application escaping the image tag?

Because I do something such as:

<%= link_to “#{image_tag(cart.png)} Cart”, cart_url %>

So really the image_tag is inside a string, hence its sanitization.

I see.

I would write a helper link_to_cart whose implementation uses the raw
helper. That’s the standard way to address this in Rails 3.

7

Why is your application escaping the image tag?

Because I do something such as:

<%= link_to “#{image_tag(cart.png)} Cart”, cart_url %>

So really the image_tag is inside a string, hence its sanitization.