[Rails-core] Default <%= to use the h (html safe) method.
Nathaniel S. H. Brown
nshb at inimit.com
Sun Feb 12 04:27:11 GMT 2006
I was just reading a blog post, about how PHP applications lack so much as
far as security goes, and it got me thinking that Rails should come default
secure, and you should have to force it to be less secure.
On that note, I came up with the idea of having <%= default to use the XSS
safe (or soon to be) h method.
So, <%=h var %> and <%= var %> are really the same.
Any thoughts?
-Nb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nathaniel S. H. Brown http://nshb.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Rails-core
mailing list