Why is HTML encoding apostrophes in Rails 2 giving an unexpected result?

Question

I'm using h to HTML encode some text in Rails 2, but I'm having problems with apostrophes. To be more exact, I'm finding that my apostrophes end up as ' which is obviously not want I want to display.

Anyone have any ideas why this is happening? My research has implied HTML encoding shouldn't affect apostrophes.

Answer 1

I had similar problem in Rails 4 where apostrophes would display as ' The problem actually seems to be that I was using the truncatefunction to display the text. Once that was removed, the apostrophes display as expected.

In this case adding escape:false as option to truncate solves the problem.

Answer 2

This is an interesting question. I'm seeing an inconsistency in how h AKA html_escape handles apostrophe AKA "'".

According to the RDoc for ERB::Util 2.6.6:

ESCAPE_TABLE = { '&'=>'&amp;', '<'=>'&lt;', '>'=>'&gt;', '"'=>'&quot;', "'"=>'&#039;', }

gem list erubis
*** LOCAL GEMS ***
erubis (2.6.6)

In IRB I see:

Welcome to IRB. You are using ruby 1.9.2p136 (2010-12-25 revision 30365) [x86_64-darwin10.5.0]. Have fun ;)
>> require 'erb' #=> true
>> ERB::Util.html_escape("foo'bar") #=> "foo'bar"
>> ERB::Util.html_escape('foo"bar') #=> "foo"bar"

---

EDIT:

Heh, it's a bug, or at least an inconsistency, in the h method. Here's the source:

# File 'lib/erubis/helpers/rails_helper.rb', line 342

def h(value)
  value.to_s.gsub(/[&<>"]/) {|s| ESCAPE_TABLE[s] }
end

Notice the string being passed to gsub doesn't contain "'"? That means the lookup for ESCAPE_TABLE doesn't get called for single-quote/apostrophe.

And, we all know the crux of the biscuit is the apostrophe. :-)

I expect that if I look at the definition for h or html_escape in your version of Rails, we'll find the apostrophe is included in that string.

The fix is either to upgrade your ERB/Erubis, or override the h/html_escape definition to be correct. You can use the definition above as a starting point.

Answer 3

From looking the source code in actionpack/lib/action_view/erb/util.rb apostrophes aren't encoded, only & > < " characters.

My guess is somewhere in your Rails app a library/plugin/gem has redefined html_escape or the HTML_ESCAPE constant. You should also check your data directly in the database to ensure that it hadn't already been encoded when saved.

Answer 4

Ruby on Rails 3 does h automatically. This is not needed anymore. Use

<%= @post.body %>

instead of

<%=h @post.body %>

If you do want to output anything without escaping it, use raw:

<%=raw @post.body %> <!-- For example, for use in a plaintext format */