0

In my controller action I am doing:

@user = user.to_json

Then in my view I am doing:

<script type="text/javascript">
<%= @user %>
</script>

And the resulting html is like:

[{&quot;user&quot;:{&quot;age&quot;:8,....

Why does it contain " everywhere?

In irb it outputs just fine like:

[{\"user\":{\"age\":8,...
Improve this question

2 Answers 2

Reset to default
2

In Rails 3 all output in the views is escaped by default. You used to have to call h(..) to escape stuff.

You can tell Rails that really what you are outputting is safe and rails doesn't need to worry about it by calling html_safe:

<script type="text/javascript">
<%= @user.html_safe %>
</script>

The reason for this is this data often comes from your users (people post forms for example), and they can include malicious stuff that you would then output, leading to XSS attacks and the like. Rails 3 took a (somewhat controversial) approach of being extra cautious here.

Here is a good blog post from Yehuda about html_safe and what's really going on

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Try the raw method?

<%= raw @user %>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.