3

I'm using h to HTML encode some text in Rails 2, but I'm having problems with apostrophes. To be more exact, I'm finding that my apostrophes end up as ' which is obviously not want I want to display.

Anyone have any ideas why this is happening? My research has implied HTML encoding shouldn't affect apostrophes.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
tiswas
  • 2,041
  • 7
  • 31
  • 43
  • Does it really output `'` to what the user sees (i.e. `'`), or is this shown when viewing the html? –  Feb 04 '11 at 15:05

4 Answers4

5

This is an interesting question. I'm seeing an inconsistency in how h AKA html_escape handles apostrophe AKA "'".

According to the RDoc for ERB::Util 2.6.6:

ESCAPE_TABLE = { '&'=>'&amp;', '<'=>'&lt;', '>'=>'&gt;', '"'=>'&quot;', "'"=>'&#039;', }

gem list erubis
*** LOCAL GEMS ***
erubis (2.6.6)

In IRB I see:

Welcome to IRB. You are using ruby 1.9.2p136 (2010-12-25 revision 30365) [x86_64-darwin10.5.0]. Have fun ;)
>> require 'erb' #=> true
>> ERB::Util.html_escape("foo'bar") #=> "foo'bar"
>> ERB::Util.html_escape('foo"bar') #=> "foo&quot;bar"

EDIT:

Heh, it's a bug, or at least an inconsistency, in the h method. Here's the source:

# File 'lib/erubis/helpers/rails_helper.rb', line 342

def h(value)
  value.to_s.gsub(/[&<>"]/) {|s| ESCAPE_TABLE[s] }
end

Notice the string being passed to gsub doesn't contain "'"? That means the lookup for ESCAPE_TABLE doesn't get called for single-quote/apostrophe.

And, we all know the crux of the biscuit is the apostrophe. :-)

I expect that if I look at the definition for h or html_escape in your version of Rails, we'll find the apostrophe is included in that string.

The fix is either to upgrade your ERB/Erubis, or override the h/html_escape definition to be correct. You can use the definition above as a starting point.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
3

I had similar problem in Rails 4 where apostrophes would display as &#39; The problem actually seems to be that I was using the truncatefunction to display the text. Once that was removed, the apostrophes display as expected.

In this case adding escape:false as option to truncate solves the problem.

Ciryon
  • 2,637
  • 3
  • 31
  • 33
1

Ruby on Rails 3 does h automatically. This is not needed anymore. Use

<%= @post.body %>

instead of

<%=h @post.body %>

If you do want to output anything without escaping it, use raw:

<%=raw @post.body %> <!-- For example, for use in a plaintext format */
  • 1
    afraid I'm using rails 2, so problem still stands. I'll edit my question to include this info. – tiswas Feb 04 '11 at 15:02
  • 1
    @tiswas I'll leave this answer here for Rails 3 users with the same problem. I'll make it Community Wiki. –  Feb 04 '11 at 15:02
1

From looking the source code in actionpack/lib/action_view/erb/util.rb apostrophes aren't encoded, only & > < " characters.

My guess is somewhere in your Rails app a library/plugin/gem has redefined html_escape or the HTML_ESCAPE constant. You should also check your data directly in the database to ensure that it hadn't already been encoded when saved.

Aaron Hinni
  • 14,578
  • 6
  • 39
  • 39