If the flash message was created entirely by program code with no user input, marking html_safe may be appropriate -- and sanitizing may not be. Same as, say, running the output of a `render :partial` through `sanitize` -- the html output may have only included tags that happen to be whitelisted by sanitize, so it may work, but it's not really the right thing to do, and will fail in cases where the output had things not in sanitize's whitelist.
Previously in our app, some parts of code supplied plain text to flash (in strings not marked html_safe), and expected it would be properly escaped. Other parts of code supplied `.html_safe` strings to flash, and expected it would be displayed as html without escaping. Simply running everything through `sanitize` actually risks breaking both code paths -- the things supplying non-html_safe strings may find that certain code that looks like html tags makes it through as html, when it was expected to be escaped. (Imagine a string "<a> The first part; <b> The second part"). While the things that supplied properly html-safe strings (which already had tainted sub-strings properly escaped) may find that some HTML code that was intended to make it through -- gets stripped by sanitize because it wasn't on the whitelist. In general, the html_safe mechanism is already pretty good at keeping things intended as HTML code (which were already produced in safe ways) separate from things intended as plain text (which shoudln't just be sanitized, they should be escaped), and making sure they get combined properly (eg `safe_join`), etc. But as of Rails 4.1, I guess this mechanism is unavailable for flash messages, simply marking a flash message html_safe or not. I miss it, it worked out well. I guess another workaround needs to be found for our program design, but simply passing everything through `sanitize` isn't really it, I don't think. Jonathan On Monday, June 16, 2014 12:27:10 PM UTC-4, Rafael Mendonça França wrote: > > Instead of marking the flash value as html_safe it is better to proper > sanitize it when presenting in your view. I believe <%= > sanitize(flash[:notice) %> would work fine. > > > Rafael Mendonça França > http://twitter.com/rafaelfranca > https://github.com/rafaelfranca > > > On Mon, Jun 16, 2014 at 12:35 PM, Justin Coyne <[email protected] > <javascript:>> wrote: > >> I believe due to this change: >> https://github.com/rails/rails/pull/13945#issuecomment-34090370 we're >> no longer able to set html_safe strings in the flash message. Is this a >> bug? Does anyone have an opinion on the right way set a flash message with >> a link in it now? >> >> -Justin >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at http://groups.google.com/group/rubyonrails-core. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
