Unescaping HTML string | 易学教程

I have the inherited the following string (I can do nothing about the format):

 &lt;iframe \n  class=\"some_class\"\n  type=\"text/html\" \n  src=\"/embed/iframe_content.html?id=tsqA5D7_z10\" \n  width=\"960\" \n  height=\"593\" \n  marginwidth=\"0\" \n  marginheight=\"0\" \n  frameborder=\"0\"&gt;\n&lt;/iframe&gt;

I am rendering it in an erb template like this:

<%= the_string %>

At the moment it renders as text like this:

&lt;iframe  class="some_class" type="text/html" src="/embed/iframe_content.html?id=tsqA5D7_z10" width="960" height="593"  marginwidth="0" marginheight="0" frameborder="0"&gt;&lt;/iframe&gt;

I need to render it as HTML.

I have tried the following:

<%= the_string.html_safe %> # Renders the string unchanged
<%= CGI.unescapeHTML(the_string) %> # Errors with a Type Error 'can't dup NilClass'
<%= CGI.unescapeHTML(the_string).html_safe %> # Errors with a Type Error 'can't dup NilClass'
<%= raw the_string %> # Renders the string unchanged

How can I render this string as HTML?

As you seem to have noticed, there are two things you need to take care of:

Unescaping the HTML entities
Printing the raw html in your view

For number 2 <%= raw ... %> should work fine.

For number 1 CGI.unescapeHTML was the right idea, but I don't think it recognizes all HTML entities so I would recommend taking a look at the HTML Entites gem

You can also try and use the simple_format helper method, but I think you are going to have to pass it some options for it to allow the <iframe> tag

also I would strongly suggest moving your unescaping logic into a helper method.

user1415428

what you are unescaping must not be a string and thats why you are getting Errors with a Type Error can't dup NilClass

Try doing
s = String.new your_obj.to_s

Now do

CGI.unescapeHTML(s)

In the end I had to use the HTMLEntities Gem suggested by Matthew;

Installed the gem with RVM and added it to my Gemfile
Required it in my application.rb
The following was the only way I could get it to render correctly. Note the extra single quotes wrapped around the_string. Without them the angle brackets don't render, though everything else does.
```
coder = HTMLEntities.new
raw coder.decode("'"+the_string+"'")
```

You can try this:

<%= raw the_string %>

Version 3 sounds valuable. Any reason why you are not using the_string?

<%= raw CGI.unescapeHTML(the_string) %>

来源：https://stackoverflow.com/questions/10677908/unescaping-html-string

标签

html

escaping