1

In my rails application_helper.rb file, there is a parse method. Inside that method is a string variable html, which contains 

<form>

, other html tags, and

&nbsp;

in its value. I will call parse inside my view index.html.erb, with

<%= parse() %>

The call to parse will output the value of the html variable.

Quite unexpectedly, I noticed that the view renders a webpage which the browser didn't process at all, i.e., the webpage contains the writing

<form>

instead of rendering a form; and so on for all the other tags, such as

<br>.

And 

&nbsp;

was also not replaced by a corresponding space.

On checking the source code of the webpage, I noticed that all the ampersands(such as of 

&nbsp;

) was sent by the view to the browser as

&amp;

and < was sent as

&lt;

and similiarly for >.

So, what did happen? Putting 

<parse()>

inside

<%= %>

processed the value of html before handing it out to the browser? Why?

Another piece of the puzzle is, the webpage was rendered fine when I put parse() inside

<%== %>

(I know 

<%== %>

is not a correct syntax, I just discovered this piece of puzzle about it by mistake.)

So what is going on?

Improve this question

1 Answer 1

Reset to default
2

<%= => Escapes all tags for security reasons. For instance I will put some script into my name: <script>...something bad to steal your accesses, cookies, make redirects, etc</script>. When you visit my profile, this script will be executed. This attack is called Cross Site Scripting (XSS). So rails cares about you and escape all such thing to prevent XSS attacks.

What you are looking for is to call your expression this way:

<%= raw(parse()) %>

OR it's alias, that you mentioned:

<%== parse() %>

More details -- http://edgeguides.rubyonrails.org/active_support_core_extensions.html#output-safety

This should keep all your tags without escaping.... but keep in mind... if you have any kind of data, that was input by the user in parse, then you will open an XSS vulnerability in your application. It's not something you should NEVER do. It's something that you should do only in case, when you know what you are doing ;)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Then when we use the link_to, or image_tag helper functions inside <%= %> , why isn't the generated <a> tag or <img> tag escaped?
As I know, link_to uses content_tag in it's implementation and content_tag generates an html_safe string. One of the possible variants you could go with is <%= parse().html_safe %>. raw(parse()) is mostly like an alias to parse().to_s.html_safe

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.