Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails 3: User input escaping working differently in views and mailer

Tags:

ruby-on-rails

ruby-on-rails-3

xss

actionmailer

actionview

I'm using the following set of code in both my views and the mailer:

<%= simple_format(auto_link(h(user_input))) %>

I begin by calling html_safe (h) on the user_input, in order to escape any dangerous code. I then call auto_link to enable any links in their input, and then I call simple_format to enable line breaks and such.

This works perfectly in my view, and properly displays the following, fully escaped, yet with a working link:

" http://google.com "

However, when the exact same is displayed in an ActionMailer email, I'm seeing all of the special characters, including my autolink, doubly escaped (the &amp;quot; for example doesn't display correctly as a result) :

&amp;quot; &lt;a href=3D&quot;http://google.com&quot;&gt;http://google.=com&lt;/a&gt; &amp;quot;

For some reason, I need to re-mark it as html_safe again to get it working:

<%= simple_format(auto_link(h(user_input))).html_safe %>

This correctly outputs:

&quot; <a href=3D"http://google.com">http://google.com</a> &quot;

Any ideas on why ActionView and ActionMailer treat the same code differently?

like image 381
William Jones Avatar asked Jul 24 '11 03:07

William Jones

People also ask

How do I use actionmailer in rails?

Action Mailer allows you to send emails from your application using a mailer model and views. So, in Rails, emails are used by creating mailers that inherit from ActionMailer::Base and live in app/mailers. Those mailers have associated views that appear alongside controller views in app/views. 2 Sending Emails

Is it possible to send an email in Rails 3?

This has been deprecated in Rails 3.0 in favour of just calling the method name itself. Sending out an email should only take a fraction of a second, but if you are planning on sending out many emails, or you have a slow domain resolution service, you might want to investigate using a background process like Delayed Job.

How does Action Mailer handle multiple email templates?

When you call the mail method now, Action Mailer will detect the two templates (text and HTML) and automatically generate a multipart/alternative email. Mailers are really just another way to render a view. Instead of rendering a view and sending it over the HTTP protocol, they are sending it out through the email protocols instead.

What is the mailer view of a class?

The specific mailer view is known to the class because its name is the same as the mailer method. In our example from above, our mailer view for the welcome_email method will be in app/views/user_mailer/welcome_email.html.erb for the HTML version and welcome_email.text.erb for the plain text version.

1 Answers

If you call simple_format from the email template (to render out line breaks), the behavior you get is terribly unusual, and it turns out this helper is overwritten with a private method.

Anyways, you can access simple_format in the email template by using this hack:

ApplicationController.helpers.simple_format()

Hopefully in another rails release this will be fixed.

like image 148
Bartuzz Avatar answered Oct 17 '22 22:10

Bartuzz
Sign in to Comment

Related questions

Using Haml Helpers That Return Strings
What is the corresponding rollback?
file upload progress bar with paperclip on heroku
Simple Ad-Server
Rails Generator: generate files based on already existing rails files
How to submit an AJAX form with ENTER key, from textarea?
Rspec: How to stub private method?
Ruby on Rails2.3.8: Unit Testing: Rails/Ruby has setup to run before each test. What about a method that runs before all tests?
How to define own routing helpers in rails 3?
Hide Headers in Passenger/Nginx Server
How to make custom _url helper in Rails 3?
Rails, in the model is there a way to provide a dif since the last update?
Rails saving plain old string to SQlite as BLOB? I'm about to lose my mind!
ActiveRecord StatementInvalid when getting data with globalize3
Integrating a blog/CMS into a Heroku Rails app
How to implement one vote per user per comment?
Rails 3: Polymorphic liking of Entities by User, how?
Passing a parameter or two to a Rake task
Find records where an attribute is present
How to create a grouped select box using simple_form?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!