[Rails-core] Default <%= to use the h (html safe) method.
Obie Fernandez
obiefernandez at gmail.com
Sun Feb 12 04:31:50 GMT 2006
+1
Would reduce clutter on the templates. It's pretty annoying to have to
remember to put them in, and even more annoying to get tickets from QA
about XSS.
On 2/11/06, Nathaniel S. H. Brown <nshb at inimit.com> wrote:
> I was just reading a blog post, about how PHP applications lack so much as
> far as security goes, and it got me thinking that Rails should come default
> secure, and you should have to force it to be less secure.
>
> On that note, I came up with the idea of having <%= default to use the XSS
> safe (or soon to be) h method.
>
> So, <%=h var %> and <%= var %> are really the same.
>
> Any thoughts?
>
> -Nb
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Nathaniel S. H. Brown http://nshb.net
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> _______________________________________________
> Rails-core mailing list
> Rails-core at lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails-core
>
More information about the Rails-core
mailing list