Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
warn the user values are directly interpolated into _html translation…
… strings
  • Loading branch information
fxn committed Nov 17, 2011
1 parent f754f3d commit eb46afa
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
2 changes: 2 additions & 0 deletions actionpack/lib/action_view/helpers/translation_helper.rb
Expand Up @@ -43,6 +43,8 @@ module TranslationHelper
# a safe HTML string that won't be escaped by other HTML helper methods. This
# naming convention helps to identify translations that include HTML tags so that
# you know what kind of output to expect when you call translate in a template.
# Note however that rule extends to interpolated values, so you are responsible
# for passing them already escaped in the call, if they need to be.
def translate(key, options = {})
options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
translation = I18n.translate(scope_key_by_partial(key), options)
Expand Down
12 changes: 12 additions & 0 deletions railties/guides/source/i18n.textile
Expand Up @@ -634,6 +634,18 @@ en:

!images/i18n/demo_html_safe.png(i18n demo html safe)!

Please note that values are interpolated directly into the translation.
If they need to be escaped you need to pass them already escaped in the +t+ call.

<erb>
# config/locales/en.yml
en:
welcome_html: <b>Welcome %{name}!</b>

<%# Note the call to h() to avoid injection %>
<%= t('welcome_html', :name => h(user.name)) %>
</erb>

h3. How to Store your Custom Translations

The Simple backend shipped with Active Support allows you to store translations in both plain Ruby and YAML format. [2]
Expand Down

0 comments on commit eb46afa

Please sign in to comment.