Comments and changes to this ticket

• You flagged this item as spam.
  

  Carsten Gehling June 30th, 2010 @ 09:13 AM

  • Tag changed from “i18n html_safe” to “html_safe, i18n”

• You flagged this item as spam.
  

  Carsten Gehling June 30th, 2010 @ 09:14 AM

  • Tag changed from “html_safe, i18n” to “3.x, html_safe, i18n”

• You flagged this item as spam.
  

  Jan De Poorter June 30th, 2010 @ 09:48 AM

  In my opinion it should be more "secure":

  @@@ruby

  This should be html_safe by default

  <%= I18n.t(:hello_user) %>

  This should not be html_safe

  <%= I18n.t(:user_title, :username => @user.name) %>
  

  
  So basically if there is no interpolation it should be html_safe, if there is interpolation it should be escaped (because we all know 1 user with name <script>alert('I hax0red you')</script> right)
  

• You flagged this item as spam.
  

  Jan De Poorter June 30th, 2010 @ 09:50 AM

  sorry for the bad formatting on my part there.

• You flagged this item as spam.
  

  Carsten Gehling June 30th, 2010 @ 10:09 AM

  Ah yes of course. :-)

  I am not sure that it is a good idea to patch it then. It'll probably make things more confusing. Shouldn't a developer be able to expect just one kind of output from I18n.translate?

  I'm really in doubt about this.

  /Carsten

• 

  José Valim June 30th, 2010 @ 12:08 PM

  • State changed from “new” to “invalid”
  • Importance changed from “” to “Low”

  This is on purpose. Btw, if you append _html to the translation, it's marked as safe. That said:

  t(".title_html")

  It will be marked as safe and won't be escaped.

• You flagged this item as spam.
  

  Carsten Gehling July 1st, 2010 @ 03:45 PM

  Okay, thanks.

  /Carsten