Prevent HTML escaping in a text area

Question

Realized that if I put HTML code in a rails text area, it will output the html.

For instance:

<b> Hello </b>

outputs as:

Hello

I thought rails 3 text inputs automatically escape HTML but whenever I output @variable.textarea, it still shows the bold text. Is it being selective about what HTML to input? And how do I make sure all HTML is always escape when I output the content of my textarea?

Thanks!

I'm confused by your question but maybe it's just me. You do or do not want the data to be escaped when an user submits information in a textarea. — thank_you, Mar 30 '13 at 23:15
What version of rails are you using? A rails 3 app should automatically escape html. — Dennis Hackethal, Mar 30 '13 at 23:31

score 1 · Accepted Answer · edited May 23 '17 at 10:25

1

If hello comes out as hello, that means HTML escaping is already prevented.

Since you don't want users to be able to use HTML in their inputs, you want HTML to be escaped, so that hello comes out as hello.

In a Rails 3 app, html automatically gets escaped - but you can explicitly escape it using the h method:

<%= h my_string %>

edited May 23 '17 at 10:25

Community

1
1

answered Mar 30 '13 at 23:34

Dennis Hackethal

13,662
12
66
115

your solution worked and thank you for clarifying my poor use of language. Question: if HTML escaping is set to true by default, how come text area shows my hello as **hello** as output? That's what started my confusion in the first place. – Laurent Mar 30 '13 at 23:39
what version of rails are you using? – Dennis Hackethal Mar 31 '13 at 00:00
I honestly don't know why it is not escaping anything. As of rails 3 all output is escaped automatically and only omitted when you explicitly call the `raw` method on it. Do you happen to use that anywhere? – Dennis Hackethal Mar 31 '13 at 00:07

Prevent HTML escaping in a text area

1 Answers1