在Rail 3中的自定义label_tag帮助器中跳过HTML转义

Question

我有这个很好的类ErrorFormBuilder,它允许我在窗体视图中的相应字段附近添加错误描述:

    class ErrorFormBuilder < ActionView::Helpers::FormBuilder
  #Adds error message directly inline to a form label
  #Accepts all the options normall passed to form.label as well as:
  #  :hide_errors - true if you don't want errors displayed on this label
  #  :additional_text - Will add additional text after the error message or after the label if no errors
  def label(method, text = nil, options = {})
    #Check to see if text for this label has been supplied and humanize the field name if not.
    text = text || method.to_s.humanize
    #Get a reference to the model object
    object = @template.instance_variable_get("@#{@object_name}")

    #Make sure we have an object and we're not told to hide errors for this label
    unless object.nil? || options[:hide_errors]
      #Check if there are any errors for this field in the model
      errors = object.errors.on(method.to_sym)
      if errors
        #Generate the label using the text as well as the error message wrapped in a span with error class
        text += " <br/><span class=\"error\">#{errors.is_a?(Array) ? errors.first : errors}</span>"
      end
    end
    #Add any additional text that might be needed on the label
    text += " #{options[:additional_text]}" if options[:additional_text]
    #Finally hand off to super to deal with the display of the label
    super(method, text, options)
  end
end

但HTML:

text += " <br/><span class=\"error\">#{errors.is_a?(Array) ? errors.first : errors}</span>"

在视图中默认转义...我尝试添加{:escape => false}选项:

super(method, text, options.merge({:escape => false}))

没有成功

有没有办法绕过这种行为？

谢谢

Answer 1

你有没有尝试过你的字符串html_safe？

irb(main):010:0> a = "A string"
=> "A string"
irb(main):011:0> a.html_safe?
=> false
irb(main):012:0> b = a.html_safe
=> "A string"
irb(main):013:0> b.html_safe?
=> true

请参阅http://www.railsdispatch.com/posts/security并向下滚动到底部附近的"您需要知道的内容":

通常,您可以像以前一样构建Rails应用程序.Rails将自动转义它不创建的任何字符串.几乎在所有情况下,这都是正确的行为,无需进一步修改.

如果Rails在没有转义的情况下转义您想要传递的String,只需将其标记为安全.如果在帮助程序中创建String,则可能需要将其中的部分标记为安全.

我无法测试这是否适用于你的分类助手,但我想是的.

Answer 2

只是用 <%= raw your_variable_here %>