On 18 July 2011 22:45, Robert Walker <[email protected]> wrote: > Colin Law wrote in post #1011094: >> On 15 July 2011 22:13, Jacob <[email protected]> wrote: >>> of every required line. I'd like instead to use a variable: >>> >>> <% req = "<span class='required_field'>Required field</span>" %> >>> >>> And then have >>> <%= f.text_field :screen_name %> <%= req %> >> >> By default Rails will assume that req may contain malicious text (such >> as some evil js for example) and will escape it so that the raw html >> appears on the page. Since you know that req is safe to output >> directly you can either use <%= req.html_safe %> or <%= req = "<span >> .... >".html_safe %> >> >> On a separate point I would use a view helper method rather than >> defining req inline however. > > From what I gather from the following it might be slightly faster to use > <%= raw req %> rather than using html_safe directly when inside a view > template: > > If a plain String is passed into a <%= %>, Rails always escapes it > > If a SafeBuffer is passed into a <%= %>, Rails does not escape it. To > get a SafeBuffer from a String, call html_safe on it. The XSS system has > a very small performance impact on this case, limited to a guard calling > the html_safe? method > > If you use the raw helper in a <%= %>, Rails detects it at compile-time > of the template, resulting in zero performance impact from the XSS > system on that concatenation > > Rails does not escape any part of a template that is not in an ERB tag. > Because Rails handles this at template compile-time, this results in > zero performance impact from the XSS system on these concatenations
That is useful to know, thanks Robert. Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
