The following code in my application_helper.rb class either eats the
flash message or escapes it and does not display properly:
Outputs the corresponding flash message if any are set
def flash_messages
messages = []
%w(notice warning error).each do |msg|
messages << content_tag(:div, content_tag(:p,
html_escape(flash[msg.to_sym])), :class => “message #{msg}”) unless
flash[msg.to_sym].blank?
end
messages
end
I am not sure how to make it html_safe so that Rails 3 renders it
properly. No problems with Rails 2.3.8, but I had to mark the entire
method “safe_method” using rails_xss plugin.
Is there a rule to doing this kind of view sanitization?
Thanks.
Bharat
On Mon, Aug 16, 2010 at 9:21 PM, Bharat R. removed_email_address@domain.invalid
wrote:
I am not sure how to make it html_safe so that Rails 3 > renders it properly.
Rails 3 is html safe by default. You only need to use ‘raw’ if you
want it unsafe.
–
Greg D.
destiney.com | gregdonald.com
Sorry,
Did not ask my question properly. You are right, Rails 3 is safe by
default.
What I meant to ask is how do I fix the method shown above so that the
rendered HTML is not escaped and therefore displays properly?
Thanks.
Bharat
def flash_messages
%w(notice warning error).each do |msg|
concat content_tag(:div, content_tag(:p, flash[msg.to_sym]),
:class => “message #{msg}”) unless flash[msg.to_sym].blank?
end
end
in the layout: <% flash_messages %>