Skip to content
This repository

Shouldn't tag helpers use single quotes? #9927

Closed
yasirs opened this Issue March 25, 2013 · 7 comments

3 participants

yasirs Rafael Mendonça França Michael Koziarski
yasirs

Suppose we have

<% c1 ="'" %>
<% c2='"' %>
<input type='hidden' name='c1' value='<%= h c1 %>'>
<input type='hidden' name='c1' value='<%= h c1 %>'>

This works.
However,

<%= hidden_field_tag :c1, c1 %>
<%= hidden_field_tag :c2, c2 %>

or

<input type='hidden' name='c1' value="<%= h c1 %>">
<input type='hidden' name='c1' value="<%= h c1 %>">

doesn't. Basically, due to the way html_escape works, it seems that using single quotes to wrap values in the tag helpers makes it possible to use all string values as attributes.

Rafael Mendonça França
Owner

Why it doesn't work. Could you put the generated HTML?

yasirs

Sure!
This is the generated HTML:

    Single Quotes </br>
    <input type='hidden' name='c1' value='&#x27;'>
    <input type='hidden' name='c2' value='"'>
    hidden_field_tag </br>
    <input id="c1" name="c1" type="hidden" value="&#x27;" />
    <input id="c2" name="c2" type="hidden" value=""" />    
    double quotes </br>
    <input type='hidden' name='c1' value="&#x27;">
    <input type='hidden' name='c1' value=""">

This is how it's parsed by Firefox:

 Single Quotes
<br>
<input type="hidden" value="'" name="c1">
<input type="hidden" value=""" name="c2">
hidden_field_tag
<br>
<input id="c1" type="hidden" value="'" name="c1">
<input id="c2" type="hidden" "="" value="" name="c2">
double quotes
<br>
<input type="hidden" value="'" name="c1">
<input type="hidden" "="" value="" name="c1">

This is the erb code:

    <% c1 ="'" %>
    <% c2='"' %>
    Single Quotes </br>
    <input type='hidden' name='c1' value='<%= h c1 %>'>
    <input type='hidden' name='c2' value='<%= h c2 %>'>
    hidden_field_tag </br>
    <%= hidden_field_tag :c1, c1 %>
    <%= hidden_field_tag :c2, c2 %>    
    double quotes </br>
    <input type='hidden' name='c1' value="<%= h c1 %>">
    <input type='hidden' name='c1' value="<%= h c2 %>">
Rafael Mendonça França
Owner

I think the helpers should escape the double quotes too. @NZKoz @jeremy do you remember why they are not escaped?

Michael Koziarski
Owner
NZKoz commented March 25, 2013

Ever since b6ab441 we escape single and double quotes. I'm not sure if you have a library installed which is messing with things:

ERB::Util.html_escape(%('"<>/))
=> "&#x27;&quot;&lt;&gt;/

and my generated html is:

<input id="c1" name="c1" type="hidden" value="&#x27;" />
<input id="c2" name="c2" type="hidden" value="&quot;" />

What version of rails and libraries are you using?

Rafael Mendonça França
Owner

Good point. I should have tried on the console :flushed:

yasirs

I have Rails 3.2.11. On the Rails console I get

irb(main):001:0> ERB::Util.html_escape(%('"<>/))
=> "&#x27;&quot;&lt;&gt;/"

Which libraries should I check?
Here is my Gemfile

ruby "1.9.3"
gem 'rails', '3.2.11'
gem 'multi_json', '1.5.1'
gem 'pg'
gem 'thin'
gem 'therubyracer'
gem 'bootstrap-sass'
gem 'simple_form'
gem 'devise'
gem 'cancan'
gem 'role_model'
gem 'redis'
gem 'resque', "~> 1.22.0"
gem 'carrierwave-postgresql'
gem 'newrelic_rpm'
gem 'carrierwave'
gem 'roo'
gem 'cells'
gem 'remotipart'
gem 'coffee-rails', '~> 3.2.1'
gem 'active_scaffold', git: "https://github.com/activescaffold/active_scaffold.git"
gem 'activerecord-postgres-hstore'
group :assets do
  gem 'sass-rails',   '~> 3.2.3'
  gem 'coffee-rails', '~> 3.2.1'
  gem 'uglifier', '>= 1.0.3'
end
gem 'jquery-rails'
Rafael Mendonça França
Owner

No idea. Try bootstrap-sass, cells, roo.

I'm closing this issue since it is not a Rails issue. Thank you report. If you need any extra helper or found a solution please comment on this issue.

Rafael Mendonça França rafaelfranca closed this March 26, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.