warn the user values are directly interpolated into _html translation strings

2011-11-17 23:07:06 +01:00 · 2011-11-17 23:07:06 +01:00 · d57d8098fc
commit d57d8098fc
parent 9b534060bf
2 changed files with 14 additions and 0 deletions
--- a/actionpack/lib/action_view/helpers/translation_helper.rb
+++ b/actionpack/lib/action_view/helpers/translation_helper.rb
@ -43,6 +43,8 @@ module TranslationHelper
      # a safe HTML string that won't be escaped by other HTML helper methods. This
      # naming convention helps to identify translations that include HTML tags so that
      # you know what kind of output to expect when you call translate in a template.
+      # Note however that rule extends to interpolated values, so you are responsible
+      # for passing them already escaped in the call, if they need to be.
      def translate(key, options = {})
        options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
        translation = I18n.translate(scope_key_by_partial(key), options)
--- a/railties/guides/source/i18n.textile
+++ b/railties/guides/source/i18n.textile
@ -634,6 +634,18 @@ en:

 !images/i18n/demo_html_safe.png(i18n demo html safe)!

+Please note that values are interpolated directly into the translation.
+If they need to be escaped you need to pass them already escaped in the +t+ call.
+
+<erb>
+# config/locales/en.yml
+en:
+  welcome_html: <b>Welcome %{name}!</b>
+
+<%# Note the call to h() to avoid injection %>
+<%= t('welcome_html', :name => h(user.name)) %>
+</erb>
+
 h3. How to Store your Custom Translations

 The Simple backend shipped with Active Support allows you to store translations in both plain Ruby and YAML format. [2]