I have a model with a title field. When I post to the server

Question

0

Asked: May 26, 20262026-05-26T16:00:13+00:00 2026-05-26T16:00:13+00:00

I have a model with a title field. When I post to the server

0

I have a model with a title field. When I post to the server I see:

Parameters: {"utf8"=>"✓", "authenticity_token"=>"3Le7aLitPd6MzWFeB0ofI9wk1IuhybNswjG9N+KgJJc=", "poll"=>{"title"=>"Hello &"}}

Problem is the DB is then saving as:

Hello &amp;

So later when I output the field on the site it shows up as Hello &

What is the right way to handle this? I want entering & to be supported but at the same time not allow users to submit html or js tags.

Thanks

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T16:00:14+00:00

Sanitize.clean outputs HTML, not plain text so of course your ampersands are converted to their HTML entity form (i.e. &). For example, straight from the the fine manual:

Sanitize.clean(html, Sanitize::Config::RESTRICTED) # => '<b>foo</b>'

So you are, in fact, store HTML snippets rather than pieces of plain text. You should be using

<%= raw @thing.title %>

to display your titles as they have already been rendered HTML-safe by Sanitize.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a model with a title field. When I post to the server

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply