-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
html_escape_once
decodes items flagged html_safe
#48256
Comments
Historical note: this behavior seems to date back to 608eddc (2012-01-12) when the method was extracted from The original implementation in A reasonable conclusion might be that the decision to preserve the I think it would be appropriate to update the behavior of this method to always return an |
I've created #48265 to have this method always return an |
This method previously maintained the `html_safe?` property of a string on the return value. Because this string has been escaped, however, not marking it as `html_safe` causes entities to be double-escaped. As an example, take this view snippet: ```html <p><%= html_escape_once("this & that & the other") %></p> ``` Before this change, that would be double-escaped and render as: ```html <p>this &amp; that &amp; the other</p> ``` After this change, it renders correctly as: ```html <p>this & that & the other</p> ``` [Fix rails#48256]
thanks @flavorjones and @byroot 🍾 |
If we mark something
html_safe
, we typically expect it to be rendered as-is and left alone.If we utilize
html_escape_once
then somehow the above purpose ofhtml_safe
is neglected and that item is decoded.This doesn't appear to be an uncaught edge case, but rather something done explicitly as is shown below (ref)
This seems to be inconsistent behavior as
html_escape
itself explicitly skips the escaping. What's the purpose of this? We have an explicit line here for this, so surely there was some thought put into this 🤔.https://github.com/rails/rails/blob/4e1fe73028f4b01c8e5179989511b21925f70b20/activesupport/lib/active_support/core_ext/erb/util.rb#LL67C1-L67C47
The text was updated successfully, but these errors were encountered: