This project is archived and is in readonly mode.

#5530 ✓invalid

select_tag wrongly escaped option tags passed to it in rails 3.0.0

Reported by foxban | September 2nd, 2010 @ 07:07 AM

# File actionpack/lib/action_view/helpers/form_tag_helper.rb, line 95
 95:       def select_tag(name, option_tags = nil, options = {})
 96:         if Array === option_tags
 97:           ActiveSupport::Deprecation.warn 'Passing an array of option_tags to select_tag implicitly joins them without marking them as HTML-safe. Pass option_tags.join.html_safe instead.', caller
 98:         end
100:         html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
101:         if blank = options.delete(:include_blank)
102:           if blank.kind_of?(String)
103:             option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
104:           else
105:             option_tags = "<option value=\"\"></option>".html_safe + option_tags
106:           end
107:         end
108:         content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
109:       end

on line 108, called content_tag directly, however content_tag will escape the strings passed to it

so when I type

<%= select_tag :idc_id, "<option></option>"  %>
I got:
<select name="idc_id" id="idc_id>&lt;option&rt;&lt;/option&rt;</select>
and it never display in the browser correctly.

by the way, I didn't find that the select_tag function suppots the option like ":escape => false"

to fix this, I changed the source code of select_tag a little like follow:

108:    content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys), false

everything work smoothly then

It's not clear that this is a feature or a bug to me

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>