Rails 3 - How to escape flash message

Question

475 views Asked by Anton R At 15 June 2015 at 12:15

Should the flash message be escaped automatically by Rails? If not, how to ensure message gets escaped (without using CGI::escapeHTML)?

After doing some searching, I figured out that it should be escaped, and one got to html_safe a message to display html. But when I try

flash[:error] = "<b>YO</b>"

it is displayed as bold YO and not as <b>YO</b>. Note that string object is not html_safe itself.

There are 3 answers

**Rokibul Hasan** · Answer 1 · 2015-06-15 12:30:27

Rokibul Hasan On 15 June 2015 at 12:30

You should use html_safe in your controller for flash message that you want escaped. It remove the raw function from the view.

flash[:error] = "<b>YO</b>".html_safe

**Xiaohong Deng** · Answer 2 · 2017-10-09 06:13:23

the correct way to handle this is in the final place you display your flash message, which is most likely to be application.html.erb. change

<%= message %>

in

  <% flash.each do |message_type, message| %>
    <div class="alert alert-<%= message_type %>"><%= message %></div>
  <% end %>

to

<%= sanitize message %>

remember always apply sanitize to the string at the end point of the pipeline your string goes through to ensure you get your style.

**Leonard Kakande** · Answer 3 · 2018-11-01 11:12:41

the questions stated without using CGI::escapeHTML. You can use a ERB::Util.html_escape in the controller

flash[:error] = escape_html('<b>Yo</b>')
....

private
  def escape_html(string_to_escape)
    ERB::Util.html_escape(string_to_escape)
  end