Ruby variable that embeds html tags

This seems very simple, but I can’t quite get it. Probably because I’m
just starting out with RoR.

My view has a slew of labels and text fields; many are “required”:

<%= f.text_field :screen_name %> Required
field

(The “required_field” class turns the text red and smaller.) I’d like
to not have everything between and sitting at the end
of every required line. I’d like instead to use a variable:

<% req = “Required field” %>

And then have
<%= f.text_field :screen_name %> <%= req %>

Shorter and DRYer. But when I do that, I get my HTML printed to the
screen, not interpreted.

Help appreciated. Thanks!
Jacob

On 15 July 2011 22:13, Jacob [email protected] wrote:

of every required line. I’d like instead to use a variable:

<% req = “Required field” %>

And then have
<%= f.text_field :screen_name %> <%= req %>

By default Rails will assume that req may contain malicious text (such
as some evil js for example) and will escape it so that the raw html
appears on the page. Since you know that req is safe to output
directly you can either use <%= req.html_safe %> or <%= req = “<span
… >”.html_safe %>

On a separate point I would use a view helper method rather than
defining req inline however.

Colin

Colin L. wrote in post #1011094:

On 15 July 2011 22:13, Jacob [email protected] wrote:

of every required line. I’d like instead to use a variable:

<% req = “Required field” %>

And then have
<%= f.text_field :screen_name %> <%= req %>

By default Rails will assume that req may contain malicious text (such
as some evil js for example) and will escape it so that the raw html
appears on the page. Since you know that req is safe to output
directly you can either use <%= req.html_safe %> or <%= req = “<span
… >”.html_safe %>

On a separate point I would use a view helper method rather than
defining req inline however.

From what I gather from the following it might be slightly faster to use
<%= raw req %> rather than using html_safe directly when inside a view
template:

If a plain String is passed into a <%= %>, Rails always escapes it

If a SafeBuffer is passed into a <%= %>, Rails does not escape it. To
get a SafeBuffer from a String, call html_safe on it. The XSS system has
a very small performance impact on this case, limited to a guard calling
the html_safe? method

If you use the raw helper in a <%= %>, Rails detects it at compile-time
of the template, resulting in zero performance impact from the XSS
system on that concatenation

Rails does not escape any part of a template that is not in an ERB tag.
Because Rails handles this at template compile-time, this results in
zero performance impact from the XSS system on these concatenations

On 18 July 2011 22:45, Robert W. [email protected] wrote:

as some evil js for example) and will escape it so that the raw html

Rails does not escape any part of a template that is not in an ERB tag.
Because Rails handles this at template compile-time, this results in
zero performance impact from the XSS system on these concatenations

That is useful to know, thanks Robert.

Colin