Rails: Is it not possible/necessary to html_escape all email text (in the view)?

Question

can anyone tell me if it is normal and OK for Rails to turn a normal quotation mark (") into & q u o t ; (and not keep the normal quotation mark) when it is html_escape-d in an email view?

I.e.:

h(whatever_text_that_contains_normal_quotation_marks) in an email view "signup_mail.erb".

Because that would mean that email content could not be completely escaped, right?

Thanks for any hints!

Tom

Could you please explain what you mean by "that email content could not be completely escaped"? — kikito, Mar 11 '10 at 17:46
I mean that any quotation marks could not be "html_escaped" (at least, in my code it doesn't work). But then I ask myself, is it actually necessary (security-wise) to html_escape text that will appear in emails? — TomDogg, Mar 11 '10 at 18:18

score 0 · Accepted Answer · answered Jun 05 '11 at 11:06

0

Well, since Rails 3 does h() all by itself, the question is no longer valid.

answered Jun 05 '11 at 11:06

TomDogg

3,803
5
33
60

Rails: Is it not possible/necessary to html_escape all email text (in the view)?

1 Answers1