I need a flash message that looks something like this:
"This confirmation link is invalid or has expired. Click here to create a new one."
Where "click here", of course, is a link to another action in the application, where you can create a new confirmation link. Two drawbacks: one, since link_to is not defined in the controller where the flash message is installed, I have to put the html link myself. It's okay, but kind of messy.
Number two: for the link to display correctly on the page, I need the html_safe function to display the flash memory in the view, so now it looks (using Haml):
- flash.each do |name, message|
= content_tag :div, message.html_safe
It gives me a break. Everything else I html_safe was HTML I wrote myself in helpers and much more, but the contents of the Flash hash are stored in the client side of the cookie and, possibly, can be changed. I thought this through and I donโt see how this could lead to an XSS attack, but XSS is not something more than I understand.
So, two questions: 1. Is there any danger in always html_safe-all flash contents like this? 2. The fact that this solution is so random (hacking MVC using HTML in the controller, always html_safe-ing all the contents of the flash memory) makes me think that I'm going to do it wrong. Is there a more elegant Rails-ish way to do this?
I am using Rails 3.0.0.beta3.
source
share