This project is archived and is in readonly mode.

#4847 ✓resolved
Cody Fauser

[PATCH] Remove unused String#html_safe!

Reported by Cody Fauser | June 13th, 2010 @ 03:02 AM | in 2.3.9

From what I can discern, the String#html_safe! method is currently not in use and provides no useful functionality other than raising an exception on both strings and ActiveSupport::SafeBuffer instances when called. The method is deprecated in Rails 2.3.6, but hasn't yet been removed in the master branch. This patch removes the method, which is the only reference to the html_safe! method in all of Rails.

Comments and changes to this ticket

  • Rohit Arondekar

    Rohit Arondekar June 14th, 2010 @ 08:00 AM

    • Assigned user set to “José Valim”


    I found the reason why html_safe! doesn't actually do anything besides raising an exception:

    For performance reasons safe strings are implemented in a way that cannot offer an in-place html_safe! variant.


    i.m.h.o I think the method should be removed or at least the exception raised should explain why you cannot call html_safe! on a string.

    On that note, +1 to the patch, applies cleanly and tests pass on 1.9.2-head and 1.8.7-p174

  • Neeraj Singh

    Neeraj Singh June 14th, 2010 @ 02:33 PM

    I would say that this code is self documenting and since html_safe is something a lot of people would encounter in rail3, this method should stay.

  • Cody Fauser

    Cody Fauser June 14th, 2010 @ 02:47 PM


    I disagree. html_safe! is not a usable method on any object. There is no better way to indicate that you can't call a method than to not implement it and the method is clearly deprecated in Rails 2.3.6.

  • Rohit Arondekar

    Rohit Arondekar June 14th, 2010 @ 02:55 PM

    If the method is to be kept I would prefer it if the message is more self explanatory. This will avoid confusion and people filing bug reports.

    If anybody agrees with me, I've attached a patch that should explain why the method can't be called. Tested it on 1.8.7-p174 and 1.9.2-head.

  • Rohit Arondekar

    Rohit Arondekar June 14th, 2010 @ 03:09 PM

    For the record I still agree with Cody though, if the method can't be called it shouldn't exist.

  • José Valim

    José Valim June 15th, 2010 @ 12:07 PM

    In Rails 2.3.5, the official API was html_safe! However, we found out that it's actually slow and provided another implementation, so we needed to deprecate the old html_safe! method and stop modifying strings in place.

    We preferred to use RuntimeError because we wanted to be clear that the html_safe! existed but we changed its behavior. If we raised NoMethodError, developers would be wondering what happened and if they were actually doing something wrong.

    But since it was already deprecated on 2.3.6 and it shows a message on 2.3.8, it can be removed for 2.3.9.

    I hope this clarify a bit. I will apply this patch later.

  • José Valim

    José Valim June 20th, 2010 @ 11:14 AM

    • Milestone set to 2.3.9
    • Assigned user changed from “José Valim” to “Michael Koziarski”

    Assigning to Koz to give the final word here since html_safe is his baby.

  • Santiago Pastorino

    Santiago Pastorino June 20th, 2010 @ 03:58 PM

    • State changed from “new” to “resolved”
    • Assigned user changed from “Michael Koziarski” to “Santiago Pastorino”

    This is already out on 2-3-stable since this commit

  • Andrea Campi

    Andrea Campi October 11th, 2010 @ 07:20 AM

    • Tag changed from patch activesupport xss to activesupport, patch, xss
    • Importance changed from “” to “Low”

    bulk tags cleanup

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>