Posted almost 8 years ago. Visible to the public.

Don't call gsub on safe strings

Calling #gsub on a string that was previously marked as #html_safe will lead to unexpected behavior. E. g. backreferences to captured groups ($1, $2) will be nil even if the group was matched.

There is no universal workaround available since you can't expect #html_safe strings to still be safe after using gsub on them.

You can, however, fix the $1 gsub behavior on html_safe strings.

Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for old versions of Ruby on Rails (3.2 and 2.3).

Owner of this card:

Avatar
Henning Koch
Last edit:
almost 7 years ago
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Henning Koch to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more