Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

raw vs. html_safe vs. h to unescape html

Tags:

ruby-on-rails

erb

Suppose I have the following string 

@x = "<a href='#'>Turn me into a link</a>"

In my view, I want a link to be displayed. That is, I don't want everything in @x to be unescaped and displayed as a string. What's the difference between using

<%= raw @x %>
<%= h @x %>
<%= @x.html_safe %>

?

like image 850
grautur Avatar asked Nov 22 '10 23:11

grautur

3 Answers

Considering Rails 3:

html_safe actually "sets the string" as HTML Safe (it's a little more complicated than that, but it's basically it). This way, you can return HTML Safe strings from helpers or models at will.

h can only be used from within a controller or view, since it's from a helper. It will force the output to be escaped. It's not really deprecated, but you most likely won't use it anymore: the only usage is to "revert" an html_safe declaration, pretty unusual.

Prepending your expression with raw is actually equivalent to calling to_s chained with html_safe on it, but is declared on a helper, just like h, so it can only be used on controllers and views.

"SafeBuffers and Rails 3.0" is a nice explanation on how the SafeBuffers (the class that does the html_safe magic) work.

like image 153
Fábio Batista Avatar answered Nov 20 '22 15:11

Fábio Batista

I think it bears repeating: html_safe does not HTML-escape your string. In fact, it will prevent your string from being escaped.

<%= "<script>alert('Hello!')</script>" %>

will put:

&lt;script&gt;alert(&#x27;Hello!&#x27;)&lt;/script&gt;

into your HTML source (yay, so safe!), while:

<%= "<script>alert('Hello!')</script>".html_safe %>

will pop up the alert dialog (are you sure that's what you want?). So you probably don't want to call html_safe on any user-entered strings.

like image 127
roasm Avatar answered Nov 20 '22 16:11

roasm

The difference is between Rails’ html_safe() and raw(). There is an excellent post by Yehuda Katz on this, and it really boils down to this:

def raw(stringish)

  stringish.to_s.html_safe

end

Yes, raw() is a wrapper around html_safe() that forces the input to String and then calls html_safe() on it. It’s also the case that raw() is a helper in a module whereas html_safe() is a method on the String class which makes a new ActiveSupport::SafeBuffer instance — that has a @dirty flag in it.

Refer to "Rails’ html_safe vs. raw".

like image 51
Pankhuri Avatar answered Nov 20 '22 15:11

Pankhuri

Sign in to Comment

Related questions

rails 3.1.0 ActionView::Template::Error (application.css isn't precompiled)
Ruby: What is the easiest way to remove the first element from an array?
Run a single migration file
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
difference between collection route and member route in ruby on rails?
Rails raw SQL example
Disable Rails SQL logging in console
how to permit an array with strong parameters
Add a default value to a column through a migration
Float vs Decimal in ActiveRecord
Rails server says port already used, how to kill that process?
A cron job for rails: best practices?
PG::ConnectionBad - could not connect to server: Connection refused
Rails Root directory path?
Ruby on Rails generates model field:type - what are the options for field:type?
Rails: Check output of path helper from console
What does "WARN Could not determine content-length of response body." mean and how to I get rid of it?
How do I parse JSON with Ruby on Rails? [duplicate]
@ variables in Ruby on Rails
What is the best method of handling currency/money?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!