It already HTML-escapes characteres

[elias19r]

Context

We are using the latest flutie gem in our Rails 6.1.5 app with the following code:

app/views/pages/show.html.erb

<% content_for :page_title, @page.title %>

app/views/layouts/application.html.erb

<title><%= page_title %></title>

Issue

For titles that contain characters that need to be HTML-escaped, we've noticed them being double-HTML-escaped.

For example, for the title Page & "Title" we get

<title>App : Page &amp;amp; &amp;quot;Title&amp;quot;</title>

which causes the browser to display it as

Instead, we expected to get

<title>App : Page &amp; &quot;Title&quot;</title>

which displays as expected

Workaround

We can replace <%= page_title %> with <%== page_title %> or <%= raw page_title %> to work around it.

[elias19r]

Here is a spec that asserts it already HTML-escapes characters:
https://github.com/elias19r/flutie/commit/2165815f9cc08e6d26ce575c1eaadb445c8a0243

[neilvcarvalho]

Rails escapes raw strings in the CaptureHelper since v3.1, so there shouldn't be any backwards compatibility issue in making flutie return HTML-safe strings :D

[elias19r]

@neilvcarvalho TIL about escape_once. From the docs, I see it is available in Rails 6.1

Just opened PR #92

I added a test case to it "html-escapes only once" that fails without escape_once