#html_safe

When using embedded erb tags to display content on your rails website, there will be occasions where you’ll want to wrap instance variables in html code.  Rails uses the SafeBuffer object to help deal with this code and some of the potential pitfalls.  Let’s walk through how SafeBuffer and #html_safe work.

By default, all strings embedded into erb tags will be “escaped” — in other words, the html tags in the string will be replaced with harmless characters. For example:

<%= '<br />' %>

Would appear as follows in the resulting html document:

<br /&gt

You can modify this behavior by calling the #html_safe method on the string.  In essence, #html_safe tells the browser that you’ve vetted the string and approve of its contents.  

<%= 'br />'.html_safe %>

Results in the following html:

<br />

Let’s see how this actually plays out in real life.  A common area where we want to use an erb tag to display html is through a view helper method.  In our view, we have the following line of code:

<%= greet_user(@user.username) %>

Which calls the following method:

def greet_user(username) "Greetings, <strong>#{username}</strong>!" end

Unfortunately, this code will not do what the code’s author likely expects.  As explained above, all strings embedded in ERB tags are escaped in entirety by default.  The resulting HTML would look like this:

Greetings, <strong>SweetBaby123</strong>!

Oops! That’s certainly not what we want.  What if we modified our view helper method as follows:

def greet_user(username) "Greetings, <strong>#{username}</strong>!".html_safe end

if the username was SweetBaby123, the resulting HTML code would look like this:

Greetings, <strong>SweetBaby123</strong>!

That looks much better! BUT WAIT. Before you bust out the champaign on a job well done, you should be aware that the above view helper method has a major security pitfall! 

If the user was malicious, he could potentially change his username to something dangerous — like an evil JS script! Because #html_safe was called in whole on the string, the malicious script would make it into a user’s browser with no push back from rails:

Greetings, <strong><script>EVIL_JAVA_SCRIPT</script></strong>!

This is not good!  

So how do we solve the issue?  When defining your view helpers, selectively use html_safe on the areas you KNOW are safe.  Allow Ruby to automatically escape unverified content.  See below for the right way to handle it:

def greet_user(username) html = "Greetings, <strong>".html_safe html << username html << "</strong>!".html_safe html end

With the above example, even if someone inserts a malicious script as their username, the code will be escaped and it will have no effect:

Greetings, <strong><script>EVIL_JAVA_SCRIPT</script></strong>!

So I want to write a rails view helper which returns some nice html like this

<div> sandeep arneja </div>

This issue is that this rails helper has some html like div which should not be escaped and then the user's name sandeep which should be esacped as it comes from the user.

now rails has this thing built in to escape all data it outputs in the view. this is very useful for me. I am building an app very fast, i have tons of information coming from various sources and I dont have the resource to look and each of them and decide which need to be esacped. I like that any thing in the view which is like this, gets escaped.

<%= @user.name %>

We can have rails not escapee stuff we trust by saying

<%= raw @user.name %>

I don't want to do this for my reasoning above.

Another thing we can do is html_safe. We can call html_safe on our result in the view and that will mark the string safe and now rails will not escape it. This would work, but i dont want to mark the whole string as safe. The user name part still needs to be esacped.

So this is what i ended up doing

def my_name name = CGI.escapeHTML @user.name return "<div>"+name+"</div">.html_safe end

With this strategy:

the string is marked safe and rails wont escape it in the view