0

I have a string that came from a field in my model.

# <br />
"This is my title with break &lt;br /&gt; in the middle"

I'm rendering it on my view:

<p>
  <%= raw @model.title %>
</p>

Which outputs something like this:

<p>
  This is my title with break <br /> in the middle
</p>

However, the <br /> shows up as string and not as html. Any ideas?

Thanks!

Improve this question
2
  • 1
    Un-escape it, then use html_safe. Enjoy the scripting attacks. Commented Nov 27, 2013 at 4:11
  • @DaveNewton Does the html_safe prevents those attacks? Commented Nov 27, 2013 at 10:15

1 Answer 1

Reset to default
4

Yes, as Dave Newton said, you should unescape then use html_safe. If your html in your model is not complex, you could use CGI.unescapeHTML to unescape. But if it is, I think you should use gem HTMLEntities at http://htmlentities.rubyforge.org/

<p>
  <%= (CGI.unescapeHTML @model.title).html_safe %>
</p>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.