Rails 3 - Problems with raw and html_safe

Question

Using the raw and html_safe methods with Rails 3.0.10 and I am still unable to unescape the html and get it to display as Content instead of Content.

@object.property.html_safe gives me Some content

<%= raw(@object.property) %> also gives me Some content

I have seen these posts and tried to implement their fixes:

I have also watched the Ryan Bates Railscasts episode about xss protection: http://railscasts.com/episodes/204-xss-protection-in-rails-3?view=comments

I created a helper method based on his example called safe where I made sure the string content had the html_safe method applied:

def safe(content)
    "#{content}".html_safe
end

Then I called it on my model: safe(@object.property)

Still the content is not displaying as expected.

I have also tried using the sanitize method, but to no avail.

What could be causing this?

What output are you expecting, exactly? Your first two code examples do exactly what they're supposed to. Do you really mean you want it escaped? (e.g. `Some content...`) — Dylan Markow, Mar 05 '12 at 18:14
Just trying to get the actual html to display - not the tags. Updated question to be specific. — PhillipKregg, Mar 05 '12 at 18:29

PhillipKregg · Accepted Answer · 2012-03-05T20:47:41.567

Ok, looks like I've got it working now.

Looked in the Ruby docs and found the CGI class and the unescapeHTML method.

I was using a rich text editor in a form to save text to the database. Apparently since the html was sent to the database as escaped, I needed to undo the escaping and then call html_safe on it.

This is how it appears in the database: howdy

I applied that to my helper method, and now the html displays as html instead of tags.

def safe(content)
  "#{ CGI::unescapeHTML(content) }".html_safe
end

This works, but if there is a better way to handle this scenario I'm open to suggestions.

Update

I was experimenting with Rails helper methods to try and prevent the text from being saved to the database as escaped (which would solve my problem since then I wouldn't have to un-escape it).

As it turns out, the rich text editor that I am using is encoding the html - you have to pass it a property of encoded: false within the javascripts object literal notation.

So, if you are like me and pulling your hair out trying to find out why Rails is saving text to the database as encoded - you may actually need to tweak configuration on the rich text editor itself.

Now I can remove the CGI class and just use this as a helper:

def safe(content)
  "#{ content }".html_safe
end

Hopefully someone else will find this helpful too.

The better way to handle it is to not store escaped HTML in the DB if you intend to render it unescaped `:)`. — Andrew Marshall, Mar 05 '12 at 18:39
I've tried using the raw and html_safe methods on the form's text_area, but it still strores it as escaped. How would I prevent the form from saving it as escaped? — PhillipKregg, Mar 05 '12 at 18:42

score 0 · Answer 2 · answered Oct 08 '12 at 11:55

0

Here is another option, and perhaps the better one. Use the following snippet.

plain_text = strip_tags(html_input)

Here is the links to docs.enter link description here

answered Oct 08 '12 at 11:55

Nadeem Yasin

4,493
3
32
41

Rails 3 - Problems with raw and html_safe

2 Answers2