Do not escape HTML entities in text files #7305

Closed
wants to merge 1 commit into
from

Projects

None yet

2 participants

@iblue
iblue commented Aug 9, 2012

Rails escapes HTML entities in erb files. This is great, because it prevents Cross Site Scripting and other evil attacks. However there is one case, where this behavior leads to undesired effects.

Rails escapes HTML entities in plain text mails. When I am using a message.text.erb file, ActionMailer correctly detects that the mail contains plain text and sets a text/plain mime type. However, ERB still handles this as an html file and escapes HTML entities.

For example, if my template contains Dear <%= @customer_name %>, ... and @customer_name is Foobar & Partner, then the mail will contain Dear Foobar &amp; Partner.

The following commit just disables HTML escaping in text templates. A text erb template is every file that has .text in the file name and is handled by erb.

@steveklabnik
Member

I thought this was already fixed?

@steveklabnik
Member

Yes, this is a duplicate of #6943.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment