Text_area_tag not escaping content by default


#1

I stumbled on the fact that text_area_tag does not HTML escape its
content by default. For example:

text_area_tag “body”, “”

At the very least, are we amendable to adding a note in the
FormTagHelper docs about the escaping rules?


#2

On Feb 15, 8:10 pm, mla removed_email_address@domain.invalid wrote:

I found a ticket on this issue from a couple years ago from Chris M.
but it looks like it was dropped:http://dev.rubyonrails.org/ticket/5929

I’ve put up an updated ticket and patch:

http://rails.lighthouseapp.com:80/projects/8994/tickets/2015-text_area_tag-should-escape-contents-by-default

Since making that first patch two years ago, the corresponding
text_area method in FormHelper now escapes its contents by default, so
I think there’s a good case for text_area_tag having the same
behaviour, for consistency’s sake if nothing else.

Chris


#3

On Feb 15, 8:10 pm, mla removed_email_address@domain.invalid wrote:

I found a ticket on this issue from a couple years ago from Chris M.
but it looks like it was dropped:http://dev.rubyonrails.org/ticket/5929

I’ve posted a new ticket on Lighthouse with an up-to-date patch:

http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/2015-text_area_tag-should-escape-contents-by-default

I also noticed that the text_area method in FormHelper actually does
escape its contents now, so text_area_tag probably should do the same
for consistency’s sake if nothing else.

Chris