warn the user values are directly interpolated into _html translation strings

2 files changed, 14 insertions, 0 deletions

diff --git a/actionpack/lib/action_view/helpers/translation_helper.rb b/actionpack/lib/action_view/helpers/translation_helper.rb
index be64dc823e..0e6c3c5724 100644
--- a/actionpack/lib/action_view/helpers/translation_helper.rb
+++ b/actionpack/lib/action_view/helpers/translation_helper.rb
@@ -43,6 +43,8 @@ module ActionView
       # a safe HTML string that won't be escaped by other HTML helper methods. This
       # naming convention helps to identify translations that include HTML tags so that
       # you know what kind of output to expect when you call translate in a template.
+      # Note however that rule extends to interpolated values, so you are responsible
+      # for passing them already escaped in the call, if they need to be.
       def translate(key, options = {})
         options.merge!(:rescue_format => :html) unless options.key?(:rescue_format)
         translation = I18n.translate(scope_key_by_partial(key), options)
diff --git a/railties/guides/source/i18n.textile b/railties/guides/source/i18n.textile
index 2d4cc13571..43afa6c9e2 100644
--- a/railties/guides/source/i18n.textile
+++ b/railties/guides/source/i18n.textile
@@ -634,6 +634,18 @@ en:
 
 !images/i18n/demo_html_safe.png(i18n demo html safe)!
 
+Please note that values are interpolated directly into the translation.
+If they need to be escaped you need to pass them already escaped in the +t+ call.
+
+<erb>
+# config/locales/en.yml
+en:
+  welcome_html: <b>Welcome %{name}!</b>
+
+<%# Note the call to h() to avoid injection %>
+<%= t('welcome_html', :name => h(user.name)) %>
+</erb>
+
 h3. How to Store your Custom Translations
 
 The Simple backend shipped with Active Support allows you to store translations in both plain Ruby and YAML format. [2]