Rails 3 flash message problems

bruparel · August 17, 2010, 4:21am

The following code in my application_helper.rb class either eats the
flash message or escapes it and does not display properly:

Outputs the corresponding flash message if any are set

def flash_messages
messages = []
%w(notice warning error).each do |msg|
messages << content_tag(:div, content_tag(:p,
html_escape(flash[msg.to_sym])), :class => “message #{msg}”) unless
flash[msg.to_sym].blank?
end
messages
end

I am not sure how to make it html_safe so that Rails 3 renders it
properly. No problems with Rails 2.3.8, but I had to mark the entire
method “safe_method” using rails_xss plugin.

Is there a rule to doing this kind of view sanitization?

Thanks.

Bharat

bruparel · August 17, 2010, 4:42am

On Mon, Aug 16, 2010 at 9:21 PM, Bharat R. removed_email_address@domain.invalid
wrote:

I am not sure how to make it html_safe so that Rails 3 > renders it properly.

Rails 3 is html safe by default. You only need to use ‘raw’ if you
want it unsafe.

–
Greg D.
destiney.com | gregdonald.com

bruparel · August 17, 2010, 4:56am

Sorry,
Did not ask my question properly. You are right, Rails 3 is safe by
default.

What I meant to ask is how do I fix the method shown above so that the
rendered HTML is not escaped and therefore displays properly?
Thanks.
Bharat

bruparel · August 20, 2010, 4:59pm

def flash_messages
%w(notice warning error).each do |msg|
concat content_tag(:div, content_tag(:p, flash[msg.to_sym]),
:class => “message #{msg}”) unless flash[msg.to_sym].blank?
end
end

in the layout: <% flash_messages %>