Thursday, August 26, 2010

Rails 2.3.8 automatically escaping HTML when you don't want it to

I was upgrading my application to Rails 2.3.8 from 2.3.5 and found a pretty annoying bug in Rails 2.3.8. This bug HAS BEEN FIXED in Rails 2.3.9, so simply install Rails 2.3.9 to get around this problem. However, there are a lot of other problems with Rails 2.3.9, read my posting at Upgrade to Rails 2.3.9 session no longer works for a killer bug for me. Other problems have been reported too. I'm just sticking with 2.3.5.

The bug is that when you concatenate HTML strings in helper methods, Rails will automatically HTML escape the string under certain conditions. There is NO way to tell Rails not to do this. Here is an example that reproduces the problem. Add these two methods to your application helper:

Then simply output the outer_helper method in one of your views:

  <%= outer_helper %>

This is the result:
about to call inner_helper method

inside p content tag

a space should be between the following words: hello&nbsp;worldmore <span style="font-weight:bold;">dirty HTML</span>
inside div content tag

outside of inner_helper method in p tag

This is obviously not what it should be producing. Rails 3 automatically escapes HTML rendered, but you can simply call .html_safe on the output to mark that you don't want it to escape, or call raw(string), from what I've read. But these don't exist in Rails 2.3.8. This bug has been fixed in this commit to the Rails code, which has been included in Rails 2.3.9.

The blog posting at shows some ways you can get around this, but in my opinion you shouldn't have to work around this. Just stick with 2.3.5, or if you're brave you can try 2.3.9.


Brent said...

The newly released Rails 2.3.9 fixes this problem. I've revised the blog posting to reflect this.

Titus Barik said...

No thanks. According to the Ruby on Rails 2.3.9 comments, it appears that 2.3.9 breaks even more items.

Brent said...

Yeah, I have a later blog posting at that shows why I'm not upgrading to 2.3.9. I've modified this blog posting with a link to the killer 2.3.9 for me.