#4695 string added to rails_helpers gets HTML escaped - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#4695 ✓resolved

string added to rails_helpers gets HTML escaped

Reported by Fjan | May 25th, 2010 @ 08:46 PM

If the first part of a string is a rails helper the rest of the string gets HTML escaped:

h('test')+'<br/>' # => wrong: test&lt;br&gt;
''+h('test')+'<br/>' # => ok: test<br/>
"#{h('test')}<br/>" # => ok: test<br/>

Comments and changes to this ticket

Neeraj Singh May 25th, 2010 @ 10:20 PM
In my view it is a consistent behavior.
```
>> ''+ERB::Util.html_escape('test') + '<br />'
=> "test<br />"

>> ''.html_safe+ERB::Util.html_escape('test') + '<br />'
=> "test&lt;br /&gt;"

>> ERB::Util.html_escape('test') + '<br />'.html_safe
=> "test<br />"
```
In the first example given by the Fjan, not safe html is being added to safe html. Probably you already know the solution and that is to mark br as safe as I did in my last example.
You flagged this item as spam.
Fjan May 25th, 2010 @ 10:27 PM
Yes, it is consistent, however it is also a bug since it is consistently different from Rails versions < 2.3.8 and therefore it breaks a lot of apps which is not allowed in a point release. (I had to fix around 20 occurrences in my apps)
Neeraj Singh May 25th, 2010 @ 10:45 PM
Fjan: Looks like you got your wish.

http://github.com/rails/rails/commit/a815f0c5a3a873aefca76f459ce05d...
You flagged this item as spam.
Fjan May 25th, 2010 @ 10:56 PM
great :-)

Well, I fixed everything by now. I actually amended the test helper to find all of them and it found a few more I hadn't caught before. It's a simple one-line addition to the test suite this, I'm going to leave it in:
```
  raise "Double escaped HTML in text (&#{$1};)" if @response.body =~ /&amp;(raquo|lt|gt|nbsp|amp)/
```
Yehuda Katz (wycats) May 25th, 2010 @ 11:43 PM
- Milestone set to “2.3.8”
- State changed from “new” to “resolved”
In the meantime, you can apply the following monkey-patch:
```
class ActiveSupport::SafeBuffer
  def concat(*args) super end
  alias << concat
end
```
This will remove any trace of html_safe concatenation.
Jeremy Kemper May 25th, 2010 @ 11:44 PM
- Milestone cleared.
You flagged this item as spam.
Dan Nuttall June 1st, 2010 @ 02:40 PM
This commit doesn't seem to have made it into the 2.3.8 tag:
http://github.com/rails/rails/blob/v2.3.8/activesupport/lib/active_...

Was this an oversight or was it left out for a reason?
You flagged this item as spam.
Matthew Horan June 4th, 2010 @ 09:12 PM
Anyone? Bueller? This has forced us to stick with 2.3.5.