Henrik wrote in post #949279: > I'm upgrading my CMS app to rails 3, but some parts just don't get > unescaped :-(: > > From application.html.erb: > > <% for article in topplinker %> > <% nr = nr + 1 -%> > <%= text2html(article.ingress, article.cloth).html_safe %> # > <----- Here it is!
It's really difficult to know exactly what the problem is without seeing the code for text2html. You need to make sure the string generated inside of this method is marked html_safe in it's entirety. It's most likely too late to call html_safe where you're showing here. As a rule of thumb html_safe is generally used inside of a helper method, whereas the "raw" method is generally used inside the view template. Example: <%=raw "<p>My HTML string I want displayed unescaped.</p>" %> Here's a pretty nice article that goes into this in depth. Be sure to read the section near the end about using html_safe inside helper methods. http://asciicasts.com/episodes/204-xss-protection-in-rails-3 -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
