This project is archived and is in readonly mode.

#4878 ✓committed
Michael Koziarski

truncate should always return unsafe strings

Reported by Michael Koziarski | June 16th, 2010 @ 10:25 PM | in 3.0.2

As mentioned in #4825 the change to using santize in truncate has broken some valid use cases. e.g. descriptions such as:

  <script> tags not working in admin section

Instead the helper should simply return the strings as unsafe, and let the user either mark them as raw() or rely on the default escaping.

We can't use the html_safety of the input to determine whether to return a safe string because of cases like this:

  <%= truncate(h("wtf&"), 4) %>

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Tags