On Jan 30, 6:40 pm, Jeff Miller <li...@ruby-forum.com> wrote:
> Hello,
> I'm trying to follow a book (www.RailsSpace.com). The book was made
> with an older version of Rails, but I'm using Rails 3. I've got a
> snippet of code in my application helper that is supposed to add a text
> field... It does, but it comes out as escaped TEXT on the webpage. Here
> is my helper method:
>
> def text_field_for(form, field,
> size=HTML_TEXT_FIELD_SIZE,
> maxlength=DB_STRING_MAX_LENGTH)
> label = content_tag("label", "#{field.humanize}:", :for => field)
> form_field = form.text_field field, :size => size, :maxlength =>
> maxlength
> content_tag("div", "#{label} #{form_field}", :class => "form_row")
> end
>
> Then the ERB:
> <%= text_field_for form, "first_name" %>
>
> ...and finally when it's rendered:
> <label for="first_name">First name:</label> <input id="spec_first_name"
> maxlength="255" name="spec[first_name]" size="15" type="text" value=""
> />
>
> ...which looks right, but it's escaped HTML text for some reason. Any
> know why?
Rails now has XSS protection built in. You need to tell rails that the
string you've constructed ("#{label} #{form_field}") is safe. One way
of doing this is calling html_safe! on it
Fred
>
> Thanks,
> - Jeff Miller
>
> --
> Posted viahttp://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
No comments:
Post a Comment