i'm trying to adapt my messages system in order to be able to use it to send reports to users. For instance, a user might finish a job and he will then receive a private message as a report for that.
The problem is storing the report to my database. A report is not just text. It can have links, or even user generated data, that was previously stored in the db.
My idea was using render_to_string to render a view to a variable and then store it to the database as a new message. However, user generated data and links are a problem, because they are not escaped. Ideally, html tags like
should not be escaped, as well as link_to's. However, if there is a <%= user.username %> somewhere in the report, this one should be escaped.
I'm a bit stumbled with that. Do you know of an efficient way to do it ?
Generally anything that's in HTML mode you can escape with:
<%= h(user.username) %>
This is the simple "render safe HTML" helper method available to all views. Plain-text does not need to be escaped the same way.