[Rails-core] Default <%= to use the h (html safe) method.
Francois Beausoleil
francois.beausoleil at gmail.com
Sun Feb 12 17:18:50 GMT 2006
2006/2/12, Tobias Luetke <tobias.luetke at gmail.com>:
> By escaping the html your customers input you potentially disable a
> lot of cool features.
>
> For example we use html to make links in todo list items in basecamp
> all the time. Couldn't do that if it was escaped.
Isn't Textile quite suited to this sort of task ? Wouldn't it be safer ?
I don't personnaly use Basecamp, but if I remember correctly, many
people view the pages, so what prevents a bad user from doing:
<a href="some link" onclick="do potentially bad thing here">Click me !</a>
???
Thanks !
--
François Beausoleil
http://blog.teksol.info/
More information about the Rails-core
mailing list