Can't store html_safe in flash hash.

[Justin Coyne]

I believe due to this change: https://github.com/rails/rails/pull/13945#issuecomment-34090370  we're no longer able to set html_safe strings in the flash message.  Is this a bug?  Does anyone have an opinion on the right way set a flash message with a link in it now?

-Justin

[Rafael Mendonça França]

Instead of marking the flash value as html_safe it is better to proper sanitize it when presenting in your view. I believe <%= sanitize(flash[:notice) %> would work fine.

​

Rafael Mendonça França
http://twitter.com/rafaelfranca
https://github.com/rafaelfranca

On Mon, Jun 16, 2014 at 12:35 PM, Justin Coyne <jus...@curationexperts.com> wrote:

I believe due to this change: https://github.com/rails/rails/pull/13945#issuecomment-34090370  we're no longer able to set html_safe strings in the flash message.  Is this a bug?  Does anyone have an opinion on the right way set a flash message with a link in it now?

-Justin

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.

[Jonathan Rochkind]

If the flash message was created entirely by program code with no user input, marking html_safe may be appropriate -- and sanitizing may not be. Same as, say, running the output of a `render :partial` through `sanitize` -- the html output may have only included tags that happen to be whitelisted by sanitize, so it may work, but it's not really the right thing to do, and will fail in cases where the output had things not in sanitize's whitelist.  

Previously in our app, some parts of code supplied plain text to flash (in strings not marked html_safe), and expected it would be properly escaped. Other parts of code supplied `.html_safe` strings to flash, and expected it would be displayed as html without escaping. 

Simply running everything through `sanitize` actually risks breaking both code paths -- the things supplying non-html_safe strings may find that certain code that looks like html tags makes it through as html, when it was expected to be escaped. (Imagine a string "<a> The first part; <b> The second part").   While the things that supplied properly html-safe strings (which already had tainted sub-strings properly escaped) may find that some HTML code that was intended to make it through -- gets stripped by sanitize because it wasn't on the whitelist. 

In general, the html_safe mechanism is already pretty good at keeping things intended as HTML code (which were already produced in safe ways) separate from things intended as plain text (which shoudln't just be sanitized, they should be escaped), and making sure they get combined properly (eg `safe_join`), etc. 

But as of Rails 4.1, I guess this mechanism is unavailable for flash messages, simply marking a flash message html_safe or not. I miss it, it worked out well. I guess another workaround needs to be found for our program design, but simply passing everything through `sanitize` isn't really it, I don't think. 

Jonathan

[Rafael Mendonça França]

It doesn’t work on Rails 4.1 due the way flash are stored now by default.

In Rails 4.1 the default is to store cookies (and for consequence the flash) using JSON serialization, this serialization doesn’t store complex objects like ActiveSupport::SafeBuffer, a model instance, etc. This is the reason it doesn’t save the HTML safety of your string.

You still can use the old Marshal serialization configuring it in your application. That would bring back the possibility to store HTML safe strings on the flash but it is also less secure than the JSON serializer.

​

Rafael Mendonça França
http://twitter.com/rafaelfranca
https://github.com/rafaelfranca