Rails 3小部件助手部分

Question

I ran into a big problem in moving my application to Rails 3. I have a view helper which i call 'WidgetHelper'. It helps to render some partials automatically when i refer to it. For example

<%= widget('loginbox', :global => true) %>

But it not works correctly. It renders HTML code as I want, but escapes the return value, what is not expected. How can I tell to render (or to something) to not escape the return value for me?

Here is my code:

  def widget(widget, options={})
    begin
      unless options[:fullpath]
        render :partial => widget_path(widget, options[:global])
      else
        render "widgets/#{widget}"
      end
    rescue ActionView::MissingTemplate
      "<!-- widget: #{widget.inspect}, #{options.inspect} -->"
    end
  end

Answer 1

def widget(widget, options={})
  begin
    unless options[:fullpath]
      raw render(:partial => widget_path(widget, options[:global]))
    else
      raw render("widgets/#{widget}"))
    end
  rescue ActionView::MissingTemplate
    raw "<!-- widget: #{widget.inspect}, #{options.inspect} -->"
  end
end

The raw method of Rails 3 does the reverse of h method in Rails 2. Escaping a string was done with the h method on Rails 2. On Rails 3, strings output from a view are escaped by default, and the escaping can be disabled by the raw method.

Answer 2

Rails 3 changed the way that content filtering works - it by default assumes you want everything filtered.

You can correct this using html_safe :

"<!-- widget: #{widget.inspect}, #{options.inspect} -->".html_safe

See: http://asciicasts.com/episodes/204-xss-protection-in-rails-3