[Rails-core] Default <%= to use the h (html safe) method.
Michael Koziarski
michael at koziarski.com
Sun Feb 12 04:30:32 GMT 2006
On 2/12/06, Nathaniel S. H. Brown <nshb at inimit.com> wrote:
> I was just reading a blog post, about how PHP applications lack so much as
> far as security goes, and it got me thinking that Rails should come default
> secure, and you should have to force it to be less secure.
>
> On that note, I came up with the idea of having <%= default to use the XSS
> safe (or soon to be) h method.
>
> So, <%=h var %> and <%= var %> are really the same.
>
> Any thoughts?
Unftortunately this would break existing applications which rely on
the original behaviour. So even if we thought it was something we'd
like to do, it'd have to wait until rails 2.0. It's also a little
counter-intuitive, I don't know that I like the idea.
--
Cheers
Koz
More information about the Rails-core
mailing list