Shouldn't tag helpers use single quotes?

[yasirs]

Suppose we have

<% c1 ="'" %>
<% c2='"' %>
<input type='hidden' name='c1' value='<%= h c1 %>'>
<input type='hidden' name='c1' value='<%= h c1 %>'>

This works.
However,

<%= hidden_field_tag :c1, c1 %>
<%= hidden_field_tag :c2, c2 %>

or

<input type='hidden' name='c1' value="<%= h c1 %>">
<input type='hidden' name='c1' value="<%= h c1 %>">

doesn't. Basically, due to the way html_escape works, it seems that using single quotes to wrap values in the tag helpers makes it possible to use all string values as attributes.

[rafaelfranca]

Why it doesn't work. Could you put the generated HTML?

[yasirs]

Sure!
This is the generated HTML:

    Single Quotes </br>
    <input type='hidden' name='c1' value='&#x27;'>
    <input type='hidden' name='c2' value='"'>
    hidden_field_tag </br>
    <input id="c1" name="c1" type="hidden" value="&#x27;" />
    <input id="c2" name="c2" type="hidden" value=""" />    
    double quotes </br>
    <input type='hidden' name='c1' value="&#x27;">
    <input type='hidden' name='c1' value=""">

This is how it's parsed by Firefox:

 Single Quotes
<br>
<input type="hidden" value="'" name="c1">
<input type="hidden" value=""" name="c2">
hidden_field_tag
<br>
<input id="c1" type="hidden" value="'" name="c1">
<input id="c2" type="hidden" "="" value="" name="c2">
double quotes
<br>
<input type="hidden" value="'" name="c1">
<input type="hidden" "="" value="" name="c1">

This is the erb code:

    <% c1 ="'" %>
    <% c2='"' %>
    Single Quotes </br>
    <input type='hidden' name='c1' value='<%= h c1 %>'>
    <input type='hidden' name='c2' value='<%= h c2 %>'>
    hidden_field_tag </br>
    <%= hidden_field_tag :c1, c1 %>
    <%= hidden_field_tag :c2, c2 %>    
    double quotes </br>
    <input type='hidden' name='c1' value="<%= h c1 %>">
    <input type='hidden' name='c1' value="<%= h c2 %>">

[rafaelfranca]

I think the helpers should escape the double quotes too. @NZKoz @jeremy do you remember why they are not escaped?

[NZKoz]

Ever since b6ab441 we escape single and double quotes. I'm not sure if you have a library installed which is messing with things:

ERB::Util.html_escape(%('"<>/))
=> "&#x27;&quot;&lt;&gt;/

and my generated html is:

<input id="c1" name="c1" type="hidden" value="&#x27;" />
<input id="c2" name="c2" type="hidden" value="&quot;" />

What version of rails and libraries are you using?

[rafaelfranca]

Good point. I should have tried on the console 😳

[yasirs]

I have Rails 3.2.11. On the Rails console I get

irb(main):001:0> ERB::Util.html_escape(%('"<>/))
=> "&#x27;&quot;&lt;&gt;/"

Which libraries should I check?
Here is my Gemfile

ruby "1.9.3"
gem 'rails', '3.2.11'
gem 'multi_json', '1.5.1'
gem 'pg'
gem 'thin'
gem 'therubyracer'
gem 'bootstrap-sass'
gem 'simple_form'
gem 'devise'
gem 'cancan'
gem 'role_model'
gem 'redis'
gem 'resque', "~> 1.22.0"
gem 'carrierwave-postgresql'
gem 'newrelic_rpm'
gem 'carrierwave'
gem 'roo'
gem 'cells'
gem 'remotipart'
gem 'coffee-rails', '~> 3.2.1'
gem 'active_scaffold', git: "https://github.com/activescaffold/active_scaffold.git"
gem 'activerecord-postgres-hstore'
group :assets do
  gem 'sass-rails',   '~> 3.2.3'
  gem 'coffee-rails', '~> 3.2.1'
  gem 'uglifier', '>= 1.0.3'
end
gem 'jquery-rails'

[rafaelfranca]

No idea. Try bootstrap-sass, cells, roo.

I'm closing this issue since it is not a Rails issue. Thank you report. If you need any extra helper or found a solution please comment on this issue.