ERB::Util.html_escape should call #to_s on argument

brianmario / escape_utils

Faster string escaping routines for your ruby apps

MIT License

513 stars 52 forks source link

ERB::Util.html_escape should call #to_s on argument #2

Closed chuyeow closed 14 years ago

chuyeow commented 14 years ago

The erb monkey patch should convert its argument to a string so that it doesn't unexpectedly try to escape, for example, a Fixnum. An example of this in practice would be a Rails form generated using form helpers like so, with id being a Fixnum:

<% form_for ... %>
  <%= f.hidden_field :id %>
<% end %>

A simple change would fix this:

class ERB
  module Util
    def html_escape(s)
      EscapeUtils.escape_html(s.to_s)
    end
  end
end

Thanks!

brianmario commented 14 years ago

Should be fixed here http://github.com/brianmario/escape_utils/commit/b7df7fb6d41323f42e8db43f8ce3fc6fe5a73bca

Will push another release soon.

brianmario commented 14 years ago

0.1.4 pushed, closing - reopen if you have trouble