This project is archived and is in readonly mode.

#5014 ✓invalid
Carsten Gehling

I18n translated strings are html-escaped in views

Reported by Carsten Gehling | June 30th, 2010 @ 09:12 AM

I don't know if this is expected behavior or an unexpected by-product of Rails now auto-escaping all strings in views, but it bit me when upgrading my app to Rails 3 beta4. Best explained here:

http://gehling.dk/2010/06/avoid-html-escaping-i18n-strings-in-rails-3/

If the above fix is not added, all entries like <%=t(:some_key)%> have to be rewritten to <%=raw(t(:some_key))%> or <%=t(:some_key).html_safe%>

I will be happy to supply a patch, if you think this is a bug.

/Carsten

Comments and changes to this ticket

  • Carsten Gehling

    Carsten Gehling June 30th, 2010 @ 09:13 AM

    • Tag changed from i18n html_safe to html_safe, i18n
  • Carsten Gehling

    Carsten Gehling June 30th, 2010 @ 09:14 AM

    • Tag changed from html_safe, i18n to 3.x, html_safe, i18n
  • Jan De Poorter

    Jan De Poorter June 30th, 2010 @ 09:48 AM

    In my opinion it should be more "secure":

    @@@ruby

    This should be html_safe by default

    <%= I18n.t(:hello_user) %>

    This should not be html_safe

    <%= I18n.t(:user_title, :username => @user.name) %>

    
    So basically if there is no interpolation it should be html_safe, if there is interpolation it should be escaped (because we all know 1 user with name <script>alert('I hax0red you')</script> right)
    
  • Jan De Poorter

    Jan De Poorter June 30th, 2010 @ 09:50 AM

    sorry for the bad formatting on my part there.

  • Carsten Gehling

    Carsten Gehling June 30th, 2010 @ 10:09 AM

    Ah yes of course. :-)

    I am not sure that it is a good idea to patch it then. It'll probably make things more confusing. Shouldn't a developer be able to expect just one kind of output from I18n.translate?

    I'm really in doubt about this.

    /Carsten

  • José Valim

    José Valim June 30th, 2010 @ 12:08 PM

    • State changed from “new” to “invalid”
    • Importance changed from “” to “Low”

    This is on purpose. Btw, if you append _html to the translation, it's marked as safe. That said:

    t(".title_html")

    It will be marked as safe and won't be escaped.

  • Carsten Gehling

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Pages