Let’s say I’m outputting a post title and in our database, it’s Hello Y’all

Question

0

Asked: June 13, 20262026-06-13T20:42:08+00:00 2026-06-13T20:42:08+00:00

Let’s say I’m outputting a post title and in our database, it’s Hello Y’all

0

Let’s say I’m outputting a post title and in our database, it’s Hello Y’all — can I output it without using .html_safe, but in such a way that it doesn’t get output in html as Hello Y&#8217;all?

That is, if a user copies a post title from a word processor that uses typographically correct apostrophes, I’m getting gibberish output since it’s escaping the & in the database as &. Of course, I would want a title from the database that’s Bonnie & Clyde to be output as Bonnie & Clyde since that is the correct HTML…

Is there a safe way to do this?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-13T20:42:10+00:00

Editorial Team

2026-06-13T20:42:10+00:00Added an answer on June 13, 2026 at 8:42 pm

SafeBuffer calls ERB::Util.h for strings that aren’t html_safe, so you can gsub on ERB::Util.h(your_string) and replace instances of &[code] with &[code]; when first saving the string in your database. That way your string is first sanitized

The call you need is ERB::Util.h(your_string).gsub(/&(#x?[\da-fA-F]+;)/, '&\1')

Then whenever you need to display that particular string, call html_safe on it.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Let’s say I’m outputting a post title and in our database, it’s Hello Y&#8217;all

Leave an answerCancel reply

1 Answer

Let’s say I’m outputting a post title and in our database, it’s Hello Y’all

Leave an answer
Cancel reply