From d57d8098fc269a26ea0051a9027a33af1a9a4b2b Mon Sep 17 00:00:00 2001
From: Xavier Noria <fxn@hashref.com>
Date: Thu, 17 Nov 2011 23:07:06 +0100
Subject: warn the user values are directly interpolated into _html translation
 strings

---
 railties/guides/source/i18n.textile | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'railties')

diff --git a/railties/guides/source/i18n.textile b/railties/guides/source/i18n.textile
index 2d4cc13571..43afa6c9e2 100644
--- a/railties/guides/source/i18n.textile
+++ b/railties/guides/source/i18n.textile
@@ -634,6 +634,18 @@ en:
 
 !images/i18n/demo_html_safe.png(i18n demo html safe)!
 
+Please note that values are interpolated directly into the translation.
+If they need to be escaped you need to pass them already escaped in the +t+ call.
+
+<erb>
+# config/locales/en.yml
+en:
+  welcome_html: <b>Welcome %{name}!</b>
+
+<%# Note the call to h() to avoid injection %>
+<%= t('welcome_html', :name => h(user.name)) %>
+</erb>
+
 h3. How to Store your Custom Translations
 
 The Simple backend shipped with Active Support allows you to store translations in both plain Ruby and YAML format. [2]
-- 
cgit v1.2.3