Browse files

warn the user values are directly interpolated into _html translation…

… strings
  • Loading branch information...
1 parent 9b53406 commit d57d8098fc269a26ea0051a9027a33af1a9a4b2b @fxn fxn committed Nov 17, 2011
Showing with 14 additions and 0 deletions.
  1. +2 −0 actionpack/lib/action_view/helpers/translation_helper.rb
  2. +12 −0 railties/guides/source/i18n.textile
@@ -43,6 +43,8 @@ module TranslationHelper
# a safe HTML string that won't be escaped by other HTML helper methods. This
# naming convention helps to identify translations that include HTML tags so that
# you know what kind of output to expect when you call translate in a template.
+ # Note however that rule extends to interpolated values, so you are responsible
+ # for passing them already escaped in the call, if they need to be.
def translate(key, options = {})
options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
translation = I18n.translate(scope_key_by_partial(key), options)
@@ -634,6 +634,18 @@ en:
!images/i18n/demo_html_safe.png(i18n demo html safe)!
+Please note that values are interpolated directly into the translation.
+If they need to be escaped you need to pass them already escaped in the +t+ call.
+# config/locales/en.yml
+ welcome_html: <b>Welcome %{name}!</b>
+<%# Note the call to h() to avoid injection %>
+<%= t('welcome_html', :name => h( %>
h3. How to Store your Custom Translations
The Simple backend shipped with Active Support allows you to store translations in both plain Ruby and YAML format. [2]

0 comments on commit d57d809

Please sign in to comment.