[Rails-core] Default <%= to use the h (html safe) method.

Abdur-Rahman Advany rails at advany.com
Sun Feb 12 11:48:07 GMT 2006 

@ nathaniel

I am agains doing h on all <%=, but why not just write a plugin? see how 
it works? sometimes it takes a extra step to convince people.

Stefan Kaes wrote:
> Nathaniel S. H. Brown wrote:
>> As I said before, I (or we, for whoever is in support) can solve the minor
>> details, and provide solutions with a little bit of creativity. I am of the
>> opinion that if you see points such as the ones you mentioned, you may also
>> be able to see how to fix them, if you so desire. I have some suggestions.
>>
>>   
>>> * Introducing this will break existing applications, which 
>>> already make use of h, since h isn't idempotent.
>>>     
>>
>> As I said previously, this could be available as a configuration option,
>> negating your remark about breaking existing applications. You would have to
>> explicitly choose to break your own application. And where would that leave
>> you? Providing the option to enable the XSS security for those who do choose
>> for it. When enabled, the h function would be wiser at detecting what it is
>> that it's encoding.
>>
>> One idea is to have a safe list of tags and html code which can be verified,
>> such as those found on the 
>>   
> In order to implement this properly you'd need to do a HTML parse 
> (including javascript!) of the string passed to h and validate that. 
> Obviously, parsing HTML is overkill for performance. And it's still 
> open whether the question "should something be escaped here" is 
> decidable at all. I believe it isn't.
>>> * And of course, it would severely hurt performance.
>>>     
>>
>> I wouldn't mind seeing a benchmark of <%= '<p>test</p> %> vs. <%=h
>> '<p>test</p>' %> to back this statement up. Understandably, the h method
>> does do a bit more. But how much more? And what about caching?
>>   
> Nice try, but the proof obligation w.r.t. implementability and 
> performance is on the proposer of the change.
>
> Why don't you go ahead and implement a plugin that changes <%= 
> semantics? Not that I would recommend it or give it a good chance of 
> success in the community, but it's up to you if you want to put effort 
> into this.
>
> -- stefan
>
> -- 
> For rails performance tuning, see: http://railsexpress.de/blog
> Subscription: http://railsexpress.de/blog/xml/rss20/feed.xml
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Rails-core mailing list
> Rails-core at lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails-core
>

More information about the Rails-core mailing list