Do not escape HTML entities in text files #7305

wants to merge 1 commit into


None yet

2 participants

iblue commented Aug 9, 2012

Rails escapes HTML entities in erb files. This is great, because it prevents Cross Site Scripting and other evil attacks. However there is one case, where this behavior leads to undesired effects.

Rails escapes HTML entities in plain text mails. When I am using a message.text.erb file, ActionMailer correctly detects that the mail contains plain text and sets a text/plain mime type. However, ERB still handles this as an html file and escapes HTML entities.

For example, if my template contains Dear <%= @customer_name %>, ... and @customer_name is Foobar & Partner, then the mail will contain Dear Foobar &amp; Partner.

The following commit just disables HTML escaping in text templates. A text erb template is every file that has .text in the file name and is handled by erb.


I thought this was already fixed?


Yes, this is a duplicate of #6943.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment