Clever Geek Handbook

Flash message from controller: Its html code is displayed as text

In my controller, as part of a method create

, I have a flash message:

flash[:success] = "An email was sent to #{@user.email}. Please check your inbox. <br> If you find this email in your junk mail folder, please mark the email as 'Not Junk'.".html_safe

<br>

in the middle, however, is rendered as text instead of being treated as html code and continues the text on a new line. This is despite being used html_safe

at the end. Does anyone know what might be causing this and what to do about it?

Update: I tried it in other controller flash messages too. Just add <br>

and html_safe

to see how it displays and every time it causes problems. While on browse pages this does not pose any problem.

As requested by the code that displays flash messages (but even if I reduce this to just that <%= message %>

, the problem still persists):

<% flash.each do |message_type, message| %>
  <%= content_tag :div, class: "alert alert-#{message_type}" do -%>
  <%= message %>
  <button type="button" class="close" data-dismiss="alert"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
  <% end -%>
<% end %>
+3


source to share


2 answers


<%= message.html_safe %>

This silently puts all the notifications right in the html, so you don't really want to do this. You can do this if and only if you are 100% sure that your application will never put any user content in notifications, or your application will be vulnerable to a js injection attack. Try this instead:

Flash post with html_safe from controller in Rails 4 (safe version)

So add before_filter -> { flash.now[:success] = flash[:success].html_safe if flash[:html_safe] && flash[:success] }

to your ApplicationController and then when you set html safe flash[:success]

also set the parameter flash[:html_safe]

to true like



flash[:success] = "An email was sent to #{@user.email}. Please check your inbox. <br> If you find this email in your junk mail folder, please mark the email as 'Not Junk'.".html_safe
flash[:html_safe] = true

Edit: Yes, you can omit the .html_safe at the end. You can make it more general and delete the unnecessary message like

before_filter -> {
  if flash[:html_safe]
    flash.delete(:html_safe)
    flash.each do |k, message| 
      flash[k] = message.try(:html_safe)
    end
  end
}
+3


source


Hopefully @nextstep reads this, he reverses his answer because it was in place.

You need to do .html_safe

on display your flash message, not when setting it, because in between these things, the message will be serialized for the session and therefore will lose the flag html_safe

.

I squinted my eyes in my testing because I was installing and showing a flash message in the same request (and therefore it was not serialized / deserialized between install and display).



So, as @nextstep originally said (mostly), change your view to:

<%= message.html_safe %>
+1


source






More articles:


All Articles