Home/ Questions/Q 3783426
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T11:13:23+00:00

My question relates to this one , but I am trying to reverse the

  • 0

My question relates to this one, but I am trying to reverse the default Rails 3 behavior of “<%=” so that I can inject HTML.

In my scenario, I have an old Rails 2 plug that generates HTML. My view will then need to inject this HTML in the page.

When this plugin creates HTML like this stored in a variable html_to_show:

<p class="notice"><span></span>Sorry about this, but we have a problem...</p><p class="error"><span></span>Cannot go to next step</p>

and in the view I try to show the contents of html_to_show like this:

<%= html_to_show %>

… what I get in my browser is this: 

&lt;p class="notice"&gt;&lt;span&gt;&lt;/span&gt;Sorry about this, but we have a problem...&lt;/p&gt;&lt;p class="error"&gt;&lt;span&gt;&lt;/span&gt;Cannot go to next step&lt;/p&gt;

How can I get Rails 3 to inject the contents of html_to_show exactly as it is, without any sanitization?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Short answer:

    <%= html_to_show.html_safe %>

    Long answer:

    Rails escapes all html to protect from XSS attacks. Adding .html_safe prevents the escaping.

    • 0