Any danger in calling flash messages html_safe?

Posted by PreciousBodilyFluids on Stack Overflow See other posts from Stack Overflow or by PreciousBodilyFluids
Published on 2010-05-23T20:01:58Z Indexed on 2010/05/23 20:11 UTC
Read the original article Hit count: 282

Filed under:
|
|

I want a flash message that looks something like:

"That confirmation link is invalid or expired. Click here to have a new one generated."

Where "click here" is of course a link to another action in the app where a new confirmation link can be generated. Two drawbacks: One, since link_to isn't defined in the controller where the flash message is being set, I have to put the link html in myself. No big deal, but kind of messy.

Number two: In order for the link to actually display properly on the page I have to html_safe the flash display function in the view, so now it looks like (using Haml):

- flash.each do |name, message|
  = content_tag :div, message.html_safe

This gives me pause. Everything else I html_safe has been HTML I've written myself in helpers and whatnot, but the contents of the flash hash are stored in a cookie client-side, and could conceivably be changed. I've thought through it, and I don't see how this could result in an XSS attack, but XSS isn't something I have a great understanding of anyway.

So, two questions: 1. Is there any danger in always html_safe-ing all flash contents like this? 2. The fact that this solution is so messy (breaking MVC by using HTML in the controller, always html_safe-ing all flash contents) make me think I'm going about this wrong. Is there a more elegant, Rails-ish way to do this?

I'm using Rails 3.0.0.beta3.

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about xss