Flash Message with HTML_Safe from the Controller in Rails 4 (Safe Version)

  • Home
  • Languages
  • Ruby
  • Flash Message with HTML_Safe from the Controller in Rails 4 (Safe Version)

Flash message with html_safe from the controller in Rails 4 (safe version)

Here is one possible way to solve this problem. Add a before filter to your ApplicationController which will make flash[:notice] html safe only if flash[:html_safe] is set. Then you can control when and when not to make notices html safe completely from the controller.

before_filter -> { flash.now[:notice] = flash[:notice].html_safe if flash[:html_safe] && flash[:notice] }

Then your example could be modified to this:

format.html do
  redirect_to(
    new_customer_url,
    notice: %Q[ A customer already exists with with this shopping id. Edit this customer #{view_context.link_to("here", edit_customer_url(@duplicate))}.],
    flash: { html_safe: true }
  )
end

Flash message from controller: its html-code is displayed as text

<%= message.html_safe %>

This will silently put all notices straight into html, so you don't really want to do this. You can do this if, and only if you are 100% sure, that your app never ever puts any user content in notices, or your app will be vulnerable to js injection attack. Instead try:

Flash message with html_safe from the controller in Rails 4 (safe version)

So yes, add before_filter -> { flash.now[:success] = flash[:success].html_safe if flash[:html_safe] && flash[:success] } to your ApplicationController, and than, any time you set html safe flash[:success] also set flash[:html_safe] to true, like

flash[:success] = "An email was sent to #{@user.email}. Please check your inbox. <br> If you find this email in your junk mail folder, please mark the email as 'Not Junk'.".html_safe
flash[:html_safe] = true

Edit: Yes, you can skip .html_safe at the end. You can make it more generic and remove unnecesary message like

before_filter -> {
  if flash[:html_safe]
    flash.delete(:html_safe)
    flash.each do |k, message| 
      flash[k] = message.try(:html_safe)
    end
  end
}

Rails 4, link in flash message is not parsed as HTML

You need to sanitise your flash msg in the view.

<%= sanitize(msg) %>

This will render the link in the view rather than escaping the html.

Be aware that this will apply to all flash messages in your app. If you display any user input in the flash message you will have to remember to escape it before displaying it as Rails auto escaping will not apply.

Note the sanitize helper is less permissive that the raw helper and it can be configured. It works with links automatically, It removes script tags by default providing some protection if you have user content in your flash but you will need to do a full check to ensure you do not introduce any security issues. Check the Rails docs for more info.

Using HTML in Rails flash messages

If you want to include a link in your flash message from the controller there are 2 issues. Generating the link and then getting it displayed as HTML.

To use the link_to helper in the controller, fully qualify it.

To have the string display as html (instead of being escaped), call the html_safe method on the string. So the line in your controller might look like:

flash[:error] = "You can't do that. #{ActionController::Base.helpers.link_to "Here's why.", '/more_info.html'}".html_safe

Any danger in calling flash messages html_safe?

I didn't want to tempt fate by html_safe-ing all flash messages universally, so I decided to just redirect failed confirmation link attempts directly to the url I would have linked them to anyway. It's a simpler, more elegant solution, I think.

Put a link in a flash[:notice]

I may be missing something obvious, but you should just be able to do

flash[:notice] = %Q[Created job number <a href="/jobs/list?job=#{update.id}">#{update.id}</a>]

and then just make sure you're not escaping the content of the flash when you display it in your view.

I'm trying to implement `link_to` in a flash message for an update action in a controller in Rails but I cannot get it to render to the browser

You need to use html_safe when outputting the flash messages - not when storing them.

<% flash.each do |key, msg| -%>
  <%= content_tag :div, msg.html_safe, class: name %>
<% end -%>

.html_safe just sets a flag on the string object that its trusted and should not be escaped.

The flash works by storing flash messages in the session storage - by default this means a cookie in the browser.

So when you do:

flash[:notice] = "foo"

You're storing the raw string "foo" in a cookie* and its unpacked back into the session on the next request. But the string is not the same Ruby object - so the html_safe flag on the string object is not persistent.

How do I add style and html to flash error message in my controller in Rails 4.0

Try add css changes in your application.css.scss file. That will automatically loaded in all the views. But if you still want flash message in html then you can use below code.

flash[:error] = @user.errors.empty? ? "Error" :  "<h1 class='alert-danger' >#{@user.errors.full_messages.to_sentence}</h1>".html_safe

Render HTML into Rails flash message

If someone encounter the same problem, here is an answer working for me :

1st : the .html_safe method has to be applied to the message of the flash as Justin Licata said.

2nd : if you want to use icons (Font awesome in my case) into your message, putting it into your message string will not work, you have to put it into your .html file which print your flash message. (Inspired from this)

Here is my rendering flash message code, into my layout application.html.erb :

<% flash.each do |message_type, message| %>
  <div class="row" id="msgContainer">
    <div class="callout callout-<%= message_type %>" id="flash_message">
      <% if flash[:notice] %>
        <i class="fa fa-info"></i>
      <% end %>
      <% if flash[:danger] %>
        <i class="fa fa-exclamation-triangle"></i>
      <% end %>
      <% if flash[:success] %>
        <i class="fa fa-check"></i>
      <% end %>
      <%= message.html_safe %>
    </div>
  </div>
<% end %>

This work for me, hope this can help.

How to show a flash message before rendering the page while controller takes some time to process

I solved the problem by making the display of the intermediary message "Processing ... " no longer necessary by reducing the controller query processing time with on order of magnitude.

I denormalized the measurements table by adding a column year_month of type text. The column is populated with the yyyy-mm part of the scheduled_on of each respective table row. The column year_month is indexed.

The total number of records in the table measurements is 120K+

I replaced also as necessary in all functions and queries the occurrence of to_char(scheduled_on, 'yyyy-mm') with year_month.

Everything (all related reports) now runs perfect and in a split of a second.


Related Topics

How to Start Ruby 1.9 Without Rubygems

Using Watir to Check for Bad Links

Getting Count of Elements by 'Created_At' by Day in a Given Month

Accessing JSON Objects in Ruby

Path Parsing in Rails

Arbitrary Precision Arithmetic with Ruby

Why Is Activerecord Not Smart Enough to Know That the Object_Id of the Father Should Be Equal to the Object_Id of the Parent of Its Children

Can't Install Ruby via Rvm, Error Running '_Rvm_Make -J4' on Ubuntu 22.04

Sending Array of Values to a SQL Query in Ruby

Detect When a Devise Session Expires

Tinytds Error: Adaptive Server Connection Timed Out

Ruby, How to Access Local Variables Outside the Do - End Loop

Rvm Install Ruby-1.9.3-P286: Error Running 'Make -J 9' (Osx: Mountain Lion)

Rails Not Rolling Back Transaction After Failed Save()

How to Mock an Instance Method of an Already Mocked Object

Ruby Net-Ldap Add User

Generic Way to Replace an Object in It's Own Method

Google Analytics API Error "Selected Dimensions and Metrics Cannot Be Queried Together."


Leave a reply



Submit