Colin Law wrote in post #1011094: > On 15 July 2011 22:13, Jacob <[email protected]> wrote: >> of every required line. I'd like instead to use a variable: >> >> <% req = "<span class='required_field'>Required field</span>" %> >> >> And then have >> <%= f.text_field :screen_name %> <%= req %> > > By default Rails will assume that req may contain malicious text (such > as some evil js for example) and will escape it so that the raw html > appears on the page. Since you know that req is safe to output > directly you can either use <%= req.html_safe %> or <%= req = "<span > .... >".html_safe %> > > On a separate point I would use a view helper method rather than > defining req inline however.
>From what I gather from the following it might be slightly faster to use <%= raw req %> rather than using html_safe directly when inside a view template: If a plain String is passed into a <%= %>, Rails always escapes it If a SafeBuffer is passed into a <%= %>, Rails does not escape it. To get a SafeBuffer from a String, call html_safe on it. The XSS system has a very small performance impact on this case, limited to a guard calling the html_safe? method If you use the raw helper in a <%= %>, Rails detects it at compile-time of the template, resulting in zero performance impact from the XSS system on that concatenation Rails does not escape any part of a template that is not in an ERB tag. Because Rails handles this at template compile-time, this results in zero performance impact from the XSS system on these concatenations -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
