[Rails-core] Default <%= to use the h (html safe) method.
David Heinemeier Hansson
david.heinemeier at gmail.com
Sun Feb 12 17:30:31 GMT 2006
> Isn't Textile quite suited to this sort of task ? Wouldn't it be safer ?
It's suited some times for some of the tasks. But its not a general
purpose replacement for HTML.
> I don't personnaly use Basecamp, but if I remember correctly, many
> people view the pages, so what prevents a bad user from doing:
>
> <a href="some link" onclick="do potentially bad thing here">Click me !</a>
Basecamp is account restricted. You have to be invited and accept the
invitation to become part of a project and see the content. In this
context, the ability of being able to use HTML outweighs the
risk/impact of malicious users (you usually just participate in
projects with people you know).
On a public forum, it's different. I wouldn't want to allow HTML there.
--
David Heinemeier Hansson
http://www.loudthinking.com -- Broadcasting Brain
http://www.basecamphq.com -- Online project management
http://www.backpackit.com -- Personal information manager
http://www.rubyonrails.com -- Web-application framework
More information about the Rails-core
mailing list