rails: unescapeHTML crashes with certain *.html_safe inputs

I have a situation where I need to call unescapeHTML on a string that was marked as html_safe but when certain strings are set for unescape a crash happens with an error like:

CGI.unescapeHTML('The experimental macro Hello Latex["\"sdsd\""'.html_safe)
TypeError: can't dup NilClass
        from /usr/lib/ruby/1.9.1/cgi/util.rb:56:in `dup'
        from /usr/lib/ruby/1.9.1/cgi/util.rb:56:in `block in unescapeHTML'
        from /var/lib/gems/1.9.1/gems/activesupport-3.2.13/lib/active_support/core_ext/string/output_safety.rb:169:in `gsub'
        from /var/lib/gems/1.9.1/gems/activesupport-3.2.13/lib/active_support/core_ext/string/output_safety.rb:169:in `gsub'

I can reproduce it in a rails console:

txt='The experimental macro Hello Latex["\"sdsd\""'
txt=txt.html_safe
CGI.unescapeHTML(txt)

The string is:

'The experimental macro Hello Latex["\"sdsd\""'

One way to not trigger this problem is to interpolate the SafeBuffer generated by html_safe in a string. Then, no crash occurs. Using the to_s method of SafeBuffer does not work because it returns self.

txt='The experimental macro Hello Latex["\"sdsd\&quote;&quote;'
txt="#{txt.html_safe}"
CGI.unescapeHTML(txt)

My configuration is as follows: Environment: Ruby version 1.9.3-p194 (2012-04-20) [x86_64-linux] Rails version 3.2.13 Database adapter Mysql2

About this issue

  • Original URL
  • State: closed
  • Created 11 years ago
  • Comments: 22 (19 by maintainers)

Most upvoted comments

@ptsneves, Using CGI.unescapeHTML(txt.to_str) is the currently recommended solution.

+4
notalex on Nov 13, 2013
Read more comments on GitHub
← rails: undefined method `pool when running a test with multiple databases on Rails 6.1
rails: Unexpected deprecation warning in Rails 6: 'Initialization autoloaded the constant Example' →