[Rails-core] Default <%= to use the h (html safe) method.
Nathaniel S. H. Brown
nshb at inimit.com
Sun Feb 12 04:48:52 GMT 2006
Good point.
We could always make it a configuration option for 1.0?
-Nb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nathaniel S. H. Brown http://nshb.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> -----Original Message-----
> From: rails-core-bounces at lists.rubyonrails.org
> [mailto:rails-core-bounces at lists.rubyonrails.org] On Behalf
> Of Michael Koziarski
> Sent: February 11, 2006 8:31 PM
> To: rails-core at lists.rubyonrails.org
> Subject: Re: [Rails-core] Default <%= to use the h (html safe) method.
>
> On 2/12/06, Nathaniel S. H. Brown <nshb at inimit.com> wrote:
> > I was just reading a blog post, about how PHP applications lack so
> > much as far as security goes, and it got me thinking that
> Rails should
> > come default secure, and you should have to force it to be
> less secure.
> >
> > On that note, I came up with the idea of having <%= default
> to use the
> > XSS safe (or soon to be) h method.
> >
> > So, <%=h var %> and <%= var %> are really the same.
> >
> > Any thoughts?
>
> Unftortunately this would break existing applications which
> rely on the original behaviour. So even if we thought it was
> something we'd
> like to do, it'd have to wait until rails 2.0. It's also a little
> counter-intuitive, I don't know that I like the idea.
>
> --
> Cheers
>
> Koz
> _______________________________________________
> Rails-core mailing list
> Rails-core at lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails-core
>
More information about the Rails-core
mailing list