I'm using h to HTML encode some text in Rails 2, but I'm having problems with apostrophes. To be more exact, I'm finding that my apostrophes end up as ' which is obviously not want I want to display.
Anyone have any ideas why this is happening? My research has implied HTML encoding shouldn't affect apostrophes.
This is an interesting question. I'm seeing an inconsistency in how h AKA html_escape handles apostrophe AKA "'".
According to the RDoc for ERB::Util 2.6.6:
ESCAPE_TABLE = { '&'=>'&', '<'=>'<', '>'=>'>', '"'=>'"', "'"=>''', }
gem list erubis
*** LOCAL GEMS ***
erubis (2.6.6)
In IRB I see:
Welcome to IRB. You are using ruby 1.9.2p136 (2010-12-25 revision 30365) [x86_64-darwin10.5.0]. Have fun ;)
>> require 'erb' #=> true
>> ERB::Util.html_escape("foo'bar") #=> "foo'bar"
>> ERB::Util.html_escape('foo"bar') #=> "foo"bar"
EDIT:
Heh, it's a bug, or at least an inconsistency, in the h method. Here's the source:
# File 'lib/erubis/helpers/rails_helper.rb', line 342
def h(value)
value.to_s.gsub(/[&<>"]/) {|s| ESCAPE_TABLE[s] }
end
Notice the string being passed to gsub doesn't contain "'"? That means the lookup for ESCAPE_TABLE doesn't get called for single-quote/apostrophe.
And, we all know the crux of the biscuit is the apostrophe. :-)
I expect that if I look at the definition for h or html_escape in your version of Rails, we'll find the apostrophe is included in that string.
The fix is either to upgrade your ERB/Erubis, or override the h/html_escape definition to be correct. You can use the definition above as a starting point.