This project is archived and is in readonly mode.

#4858 open
Rodrigo Rosenfeld Rosas

[PATCH] ActionMailer is html escaping plain text messages

Reported by Rodrigo Rosenfeld Rosas | June 14th, 2010 @ 01:17 PM | in 3.0.6

A view views/mailer/message.text.erb with this content: (read an ampersand only, cause LightHouse will mess with it)

is sent as a plain text message with this link:

Comments and changes to this ticket

  • Michael Koziarski

    Michael Koziarski June 14th, 2010 @ 09:17 PM

    • Milestone cleared.
    • Tag set to regression
    • Assigned user set to “Yehuda Katz (wycats)”

    This is probably as a result of unifying the AM and AC use of AV, it's a regression and should be fixed before 3.0

  • Amos King

    Amos King June 15th, 2010 @ 03:41 AM

    I can't reproduce this issue with the latest. Can I get an example so I can tackle this.

  • Rodrigo Rosenfeld Rosas

    Rodrigo Rosenfeld Rosas June 15th, 2010 @ 03:57 AM

    I've just found the root cause. url_for is not marking the url as html_safe and the ERB template used by the plain text templating is sanitizing the text by default as the other ERB templates.

    This mean that now the plain text ERB template should be something like:

    Please, visit <%= raw @confirmation_url %>

    I think plain text templates should not be sanitized in favor of the least surprise principle...

    What do you think?

  • LYN

    LYN July 19th, 2010 @ 11:05 AM

    • Importance changed from “” to “Medium”

    on chain Aquaracer 2000 Mens WAB2011.BA0803-1582 international criminals that worth omega brand the illegally acquired bankroll Dolce Vita Ladies L5. to important inhumane activities Classic 16 mens-1494 revel in disturbance besides Oyster Perpetual Datejust Two-Tone 18kt Yellow Gold and Steel Mens 16234J-58 drug trafficking. This object omega replica is witting to educate omega an powwow that has replica Vacheron Constantin the markedly manage in Mens Black Strap 698-4020 that stopping this assumed omega man movement. The bogus purses that are bough

  • Akira Matsuda

    Akira Matsuda August 23rd, 2010 @ 08:00 AM

    I also got stuck on this problem.

    I think plain text templates should not be sanitized in favor of the least surprise principle... What do you think?

    1. Plain text template should better not be html_escaped.
  • Akira Matsuda
  • Jeremy Kemper
  • Santiago Pastorino

    Santiago Pastorino September 1st, 2010 @ 02:00 AM

    • State changed from “new” to “open”
    • Assigned user changed from “Yehuda Katz (wycats)” to “Mikel Lindsaar”
    • Importance changed from “” to “Low”
  • José Valim

    José Valim September 1st, 2010 @ 11:11 PM

    • Assigned user changed from “Mikel Lindsaar” to “Yehuda Katz (wycats)”

    This is not related to the mail gem, but the ActionView bit. Assigning it back to Mr. Katz.

  • Wincent Colaiuta

    Wincent Colaiuta September 4th, 2010 @ 02:07 PM

    I've had to use raw in a few places in my non-HTML templates for this reason.

    It's not limited to templates with the .text.erb extension. I've also had to do it in .js.erb templates. I imagine that if I had other non-HTML ERB templates it would behave the same way too.

    No idea if this is limited to ERB, seeing as the only other template format I use is Haml, which is obviously always producing HTML output only.

  • Jeremy Kemper

    Jeremy Kemper October 15th, 2010 @ 11:01 PM

    • Milestone set to 3.0.2
  • Ryan Bigg

    Ryan Bigg October 19th, 2010 @ 08:34 AM

    • Tag cleared.

    Automatic cleanup of spam.

  • Fjan

    Fjan November 3rd, 2010 @ 07:08 PM

    I just wanted to point out that the it's not just URLs and not just ampersands: any text gets HTML escaped. This is going to trip people up who accidentally use < and > characters in an e-mail address for example. My plain text e-mail templates are now littered with .html_safe everywhere to prevent this.

    As far as I can tell from the code this is going to be pretty hard to fix without ruining the nice unification of the mailer views with the regular views we just had. My suggestion is to define a new erb character sequence such as <%== to mean a "raw concat". That will beatify the code a little and make sure that we can upgrade old templates with a simple search/replace, mailer or regular view.

  • Fjan

    Fjan November 3rd, 2010 @ 08:51 PM

    Just a quick follow up to myself, I looked at the code and all that is needed to make "<%== ..." behave as "<%= raw ..." is this snippet in an initializer:

    module ActionView
      class Template
        module Handlers
          class Erubis < ::Erubis::Eruby
            def add_expr_escaped(src, code)
              src << "@output_buffer.safe_concat(" << escape_text(code.html_safe) << ");"

    It can be made more efficient by adding to the string directly.

  • Wincent Colaiuta

    Wincent Colaiuta November 3rd, 2010 @ 08:57 PM

    I think adding new syntax is a non-solution to this problem which just wall-papers over the underlying issue.

    The fact is that it doesn't make sense to HTML-escape content which is not HTML.

    Merely adding a short-cut syntax for avoiding the undesired escaping is just giving us a more concise means of doing something that we shouldn't have to do in the first place, and IMO it would be worse than just ignoring the problem.

  • Fjan

    Fjan November 3rd, 2010 @ 09:07 PM

    I agree a proper fix where plain text templates do net get escaped would be better.

    However, I still like that new syntax for the regular views. I just did a quick count for "html_safe" and I came up with 390 in my views and helpers. So it would sure save a lot of typing and it can also make the templates more efficient by not converting to an output_buffer and back to a string (as I did above).

    I simply like to use some like without all the html_safe stuff:

    <%= "<b>Alert</b>".html_safe if level<0 %>
  • Fjan

    Fjan November 3rd, 2010 @ 11:16 PM

    Oops, that method in my first posts should have read:

    def add_expr_escaped(src, code)
      src << "@output_buffer.safe_concat((" << code << ").to_s);"

    Also apologies for the lack of proofreading in the second post. I'm actually tempted to override the XSS escaping when upgrading from Rails 2 projects by doing a global search/replace of <%= with <%== now. The on-by-default escaping idea is sound in theory but it's just introducing more problems than it solves when upgrading an old and stable code base.

  • Fjan

    Fjan November 3rd, 2010 @ 11:17 PM

    • Title changed from “ActionMailer is html escaping ampersand (&) in Urls in plain text messages” to “ActionMailer is html escaping plain text messages”
  • Wincent Colaiuta

    Wincent Colaiuta November 3rd, 2010 @ 11:21 PM

    I agree a proper fix where plain text templates do net get escaped would be better.

    However, I still like that new syntax for the regular views.

    Fjan, your proposed shortcut syntax probably belongs in a separate ticket.

  • Fjan

    Fjan November 3rd, 2010 @ 11:24 PM

    You are right. Sorry for the spam here, not thinking to clearly after typing 390 html_safes. I'll put in a new ticket tomorrow.

  • Bertg

    Bertg November 5th, 2010 @ 07:53 PM

    • Tag set to actionview, escaping, formats, html_safe, safe_buffer, xss

    We have been investigating this issue, and it goes beyond ActionMailer.

    We have detected this happening when rendering csv files, ical compatible files etc.. Basically html escaping is happening all the time in ActionView regardless of format.

    Templates and Handlers always choose a ActionView::SafeBuffer or a subclass of it. This is desired behaviour in case of html (or alike, e.g.: xml) but not in any other context like plain text emails or csv.

    The template should be smart enough to choose the correct buffer based on the format passed to it. E.g.: when the extension of a template is .text.haml it should not be doing any escaping, i.e. not be using the safe buffer.

    We do think the priority of this bug should be high, as it's influencing all formats besides html, and thus breaking these.

    The impact is probably going to be beyond rails, but in any rails3 compatible handler, like haml.

  • jim123456

    jim123456 November 8th, 2010 @ 01:24 AM

    When Coach began as Manhattan Leather Bags in 1941, they were inspired by baseball glove design and they created discount handbags with similar qualities.supra shoes didn't come along until years later. The original handbag collection had twelve designs, and they were made from supple, tan, top-quality leathers, and showed the same excellent craftsmanship and stitching that we still expect today.

    Coach hired a woman named Bonnie Cashin in 1962, and she brought new looks to Coach bags. She used many new fabrics and organic materials like jersey and wool. She created the brass hardware that is symbolic of timberland boots. When Lew Frankfort came aboard in 1979, he brought Coach to the next level, and they became a name known the world over. Affordable luxury was not a concept that many people knew, but now they would. Soon after Frankfort joined Coach, they came out with a catalog, and opened their flagship store in New York City.

    In the 1980's, Coach expanded and made innovations that brought its brand relevance and strength. They designed watches starting in 1988, and also expanded their company to Tokyo. Japan still counts among the leading purchasers of coach purses and Coach heels. The manufacture of Coach shoes began in the mid 90's, and Reed Krakoff, the lead designer, loaned his talents to help put Coach heels and louis vuitton bags outlet on the map. Their shoes aren't as popular as their handbags, but they are well worth the money invested in their purchase.

    Women love heels, but at times you may want to wear shoes that don't have this height. true religion jeans outlet are as dedicated to comfort as they are to style and pizzazz. Coach platforms come in many styles, from gold loafers to slingbacks with open toes. You may be able to find Coach shoes at discount prices online, but be sure that you are buying genuine Coach products.

    If you're looking for moncler jackets that will make you feel and look glamorous, Coach shoes and chanel purses can do that well. Coach sneakers and heels will make you feel sporty, too. When selecting pumps or sandals to wear, you'll be happy to count on the long-standing quality and service of the Coach company. They have many styles to choose from, including chic and glamorous Coach boots and Coach heels. Whether you are looking for sports shoes like Coach sneakers or sexy shoes like Coach boots, the Coach name will never let you down.

  • Fjan

    Fjan November 11th, 2010 @ 03:25 PM

    Now that my patch to add a non-escaping option to Erubis has been committed to 3.0 stable this problem can be fixed by simply letting the handler check if the template identifier contains "html" and disabling escape otherwise. Attached is a monkey patch that adds one line to the template setup:

       :escape => template.identifier !~ /\.html/   # Note: :escape => true disables escaping

    Note that this patch will only work if the patch mentioned above is also applied.

  • Rodrigo Rosenfeld Rosas

    Rodrigo Rosenfeld Rosas November 11th, 2010 @ 03:52 PM

    Worth noting that this monkey patch will only work on ERB templates but won't work for HAML for instance...

  • Fjan

    Fjan November 11th, 2010 @ 04:40 PM

    • Title changed from “ActionMailer is html escaping plain text messages” to “[PATCH] ActionMailer is html escaping plain text messages”

    Here is the one-line patch that can be applied to edge. Sorry, I have no idea how to add a test for this, I'm kind of new to all this.

  • Santiago Pastorino
  • Santiago Pastorino
  • Santiago Pastorino

    Santiago Pastorino February 27th, 2011 @ 03:15 AM

    • Milestone changed from 3.0.5 to 3.0.6
  • Matthew Stopa

    Matthew Stopa April 28th, 2011 @ 08:38 PM

    Does anyone know if this issue has been fixed yet? It looks like things have changed a lot in Rails3 since the patch was submitted. We're experiencing the problem currently where our users are getting their emails with escaped characters. Anyone know a workaround?

  • Bertg

    Bertg April 28th, 2011 @ 09:19 PM

    I have no idea what the status on this ticket is, but the work around we used is to indicate EACH string as html safe manually. That works great :)

  • Matthew Stopa

    Matthew Stopa April 28th, 2011 @ 10:08 PM

    That hasn't worked for me at all. Even with a basic ActionMailer where I specify the body as body => "blah blah".html_safe I am still seeing escaped characters in the emails it sends.

  • Fjan

    Fjan April 29th, 2011 @ 08:15 AM

    @Matthew: I've been using the monkey patch I provided in the November 11th post in production for quite some time now and it works great. Just drop it in the config/initializers directory.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

Shared Ticket Bins

Referenced by