<p>I'm using Rails 3. I want to display generated html fragment inside erb template</p> <pre class="prettyprint"><code><%= "<div>Foo Bar</div>" %> </code></pre> <p>Rails encodes div tags. </p> <p>If I'm correct in Rails 2 <code><%=h</code> causes html escaping. Seems that it was changed in Rails 3. How can insert html fragment without encoding in Rails 3?</p> <p>Regards, Alexey.</p>

<p>I assume by encoding you mean the html-escaping:</p> <p>To put out raw html in Rails 3 you can use three different approaches.</p> <ol> <li> <p>your can use the <code>raw</code> helper to output raw html</p> <pre class="prettyprint"><code><% some_string = "<div>Hello World!</div>" %> <%= some_string %>  <%=raw some_string %>  </code></pre> <p>more information: ActionView::Helpers::OutputSafetyHelper#raw</p> </li> <li> <p>You can mark the string as <code>html_safe</code></p> <pre class="prettyprint"><code><% some_string = "<div>Hello World!</div>".html_safe %> <%= some_string %>  </code></pre> <p>more information: String#html_safe and ActiveSupport::SafeBuffer#new</p> </li> <li> <p>You can sanitize your output with <code>sanitize</code></p> <pre class="prettyprint"><code><%=sanitize "<div>Hello World!</div>", tags: %w( div ) %> </code></pre> <p>more information: ActionView::Helpers::SanitizeHelper#sanitze </p> </li> </ol> <p>Some more Information:</p> <ul> <li>SafeBuffers and Rails 3.0</li> <li>Railscast #204: XSS Protection in Rails 3</li> </ul>

Html escaping in a Rails 3 view

Q: Why is HTML escaping?

Escapes are very useful for representing characters that are not apparent or are ambiguous. Numeric or named character references, as well as CSS escapes, can be used to represent characters in HTML style attribute. The style element HTML can not contain numeric or named character references.

Q: How do you escape in Ruby?

When using strings in Ruby, we sometimes need to put the quote we used to define the string inside the string itself. When we do, we can escape the quote character with a backslash \ symbol.

Q: What is Html_safe?

Marks a string as trusted safe. It will be inserted into HTML with no additional escaping performed.

Tags:

ruby-on-rails

ruby-on-rails-3

xss

erb

I'm using Rails 3. I want to display generated html fragment inside erb template

<%= "<div>Foo Bar</div>" %>

Rails encodes div tags.

If I'm correct in Rails 2 <%=h causes html escaping. Seems that it was changed in Rails 3. How can insert html fragment without encoding in Rails 3?

Regards, Alexey.

438

asked Aug 26 '10 09:08

Alexey Zakharov

1 Answers

I assume by encoding you mean the html-escaping:

To put out raw html in Rails 3 you can use three different approaches.

your can use the raw helper to output raw html

<% some_string = "<div>Hello World!</div>" %>
<%= some_string %>
<!-- outputs: &lt;div&gt;Hello Worlds!&lt;/div&gt; -->
<%=raw some_string %>
<!-- outputs: <div>Hello Worlds!</div> -->

more information: ActionView::Helpers::OutputSafetyHelper#raw

You can mark the string as html_safe

<% some_string = "<div>Hello World!</div>".html_safe %>
<%= some_string %>
<!-- outputs: <div>Hello World!</div> -->

more information: String#html_safe and ActiveSupport::SafeBuffer#new

You can sanitize your output with sanitize
```
<%=sanitize "<div>Hello World!</div>", tags: %w( div ) %>
```
more information: ActionView::Helpers::SanitizeHelper#sanitze

Some more Information:

SafeBuffers and Rails 3.0
Railscast #204: XSS Protection in Rails 3

171

answered Oct 02 '22 04:10

jigfox

Related questions
                            
                                Push Notifications using Rails server
                            
                                Passing parameter to controller action through routes [duplicate]
                            
                                What is all this [1m[35m in my logs, and how do I make it go away?
                            
                                How to create a catch-all route in Ruby on Rails?
                            
                                How do you set a not null constraint in activerecord for ruby?
                            
                                How to get the img src using Nokogiri and at_css
                            
                                Is it possible to disable the standard PUT route in Rails 4?
                            
                                Getting Rails error "syntax error, unexpected tSYMBEG, expecting keyword_do or '{' or '('"
                            
                                local variable or method `config' for main:Object (NameError)
                            
                                How to run QUnit tests from command line?
                            
                                Rails plain text template
                            
                                What is the difference between "rake db:seed" and rake db:fixtures:load"
                            
                                Heroku + Rails + PG: ActiveRecord::StatementInvalid (PG::ConnectionBad: PQconsumeInput() SSL connection has been closed unexpectedly
                            
                                Adding Boolean Column Value in Ruby on Rails
                            
                                Pushing a single table to Heroku
                            
                                Rails models in subfolders and relationships
                            
                                Rails 4 and ActionCable
                            
                                In RSpec, how to expect multiple messages with different parameters in any order?
                            
                                How does "config/initializers/new_framework_defaults_5_2.rb" work?
                            
                                Ruby On Rails in MAMP mySQL Snow Leopard

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With