[Rails-core] Default <%= to use the h (html safe) method.
Nathaniel S. H. Brown
nshb at inimit.com
Sun Feb 12 05:33:09 GMT 2006
All of those helper functions would obviously need to be changed so that
they work with the default <%=h methods. The <%= tag could be smart enough
to realize what it is parsing, and if it's a helper method, to skip it.
It's an abstract idea. If it's worth investigating, we can look at how to
implement it, on a more specific level. Especially what implications it has,
as you have mentioned.
As far as I am concerned, these are minor details which can be ironed out
with a bit of creativity.
-Nb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nathaniel S. H. Brown http://nshb.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> -----Original Message-----
> From: rails-core-bounces at lists.rubyonrails.org
> [mailto:rails-core-bounces at lists.rubyonrails.org] On Behalf
> Of Tobias Luetke
> Sent: February 11, 2006 9:04 PM
> To: rails-core at lists.rubyonrails.org
> Subject: Re: [Rails-core] Default <%= to use the h (html safe) method.
>
> huh? that would break url_for, link_to, textilize, markdown
> and every single other helper which outputs html tags. I use
> the h helper in like 3 different places in shopify, thats
> definitely the exception.
>
> > On that note, I came up with the idea of having <%= default
> to use the
> > XSS safe (or soon to be) h method.
>
> --
> Tobi
> http://shopify.com - modern e-commerce software
> http://typo.leetsoft.com - Open source weblog engine
> http://blog.leetsoft.com - Technical weblog
> _______________________________________________
> Rails-core mailing list
> Rails-core at lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails-core
>
More information about the Rails-core
mailing list