I have the following code:
<%= link_to(image_tag(…)) %>
The problem is that Rails sanitizes the images so it gets rendered as:
<img src=… />
I could use html_safe, but that’s painful and makes my code less
readable.
In Rails2 I could declare a whitelist such as:
config.action_view.sanitized_allowed_tags = ‘a’, ‘blockquote’, ‘img’,
…
But it doesn’t seem to work anymore. Did I miss anything in the
transition from Rails 2 to 3?
fipa
February 13, 2011, 10:26pm
2
Agile Web development With Rails 3 p.91 awkwardly addresses the issue by
using strip_tags() and skipping the explanation about how to let safe
tags through.
fipa
February 13, 2011, 10:44pm
3
Oh ok! I did not understand that now I had to use sanitize to kick the
whitelist in.
Thanks.
fipa
February 14, 2011, 8:54am
4
I don’t understand the question.
In Rails 3 link_to does NOT escape the HTML produced by image_tag,
because the strings returned by these builtin helpers are marked as
html_safe:
∵ cat app/controllers/test_controller.rb
class TestController < ApplicationController
def index
render :inline => '<%= link_to image_tag("foo") %>'
end
end
∵ curl http://localhost:3000/test
<a href="/test"><img alt="Foo" src="/images/foo" /></a>
Why is your application escaping the image tag?
fipa
February 13, 2011, 10:35pm
5
The problem is that Rails sanitizes the images so it gets rendered as:
<img src=… />
I could use html_safe, but that’s painful and makes my code less
readable.
I do not have an actual solution for you but maybe these links are
helpful:
fipa
February 14, 2011, 9:57am
6
On Mon, Feb 14, 2011 at 9:37 AM, Fernando P. [email protected]
wrote:
Why is your application escaping the image tag?
Because I do something such as:
<%= link_to “#{image_tag(cart.png)} Cart”, cart_url %>
So really the image_tag is inside a string, hence its sanitization.
I see.
I would write a helper link_to_cart whose implementation uses the raw
helper. That’s the standard way to address this in Rails 3.
fipa
February 14, 2011, 9:37am
7
Why is your application escaping the image tag?
Because I do something such as:
<%= link_to “#{image_tag(cart.png)} Cart”, cart_url %>
So really the image_tag is inside a string, hence its sanitization.