I've just pushed some XSS-protection compatibility code. I didn't take the same route as you did, because I needed to have it work outside of the context of Rails.
On Sat, Oct 10, 2009 at 3:07 PM, Nathan Weizenbaum <[email protected]> wrote: > I've been thinking about the best way to do this integration. I'll > definitely have a look at your fork when I get a chance. > > > On Sat, Oct 10, 2009 at 11:48 AM, Bruno Michel <[email protected]> wrote: > >> >> Hi, >> >> the future releases of Rails, 2.3.5 and 3.0, will mark string as >> html_safe if they can be outputted safely. You can see the details about >> that on this commit for the 2.3 branch: >> >> http://github.com/rails/rails/commit/80da8eb43dfabb4ca9f0adcb431882d03e6388bb >> . >> >> The idea behind this change is to have an on-by-default XSS escaping in >> Rails. RailsXss (http://github.com/nzkoz/rails_xss) is a plugin for >> Rails 2.3 that brings this safety by using erubis. >> >> Haml has a already an option for automatically escaping HTML strings, >> but it can be improved by not escaping strings that are already marked >> as html_safe. >> >> For example, the following line should output a link: >> Click on #{link_to 'this link', '/this-link'} >> If the auto-escaping is enabled, haml will escape it, but Rails marks >> the result of link_to as safe, so haml should not escape it. >> >> I've tried to modify the code of haml, but I'm not very confident in my >> changes, so a code review is welcomed. >> >> The changes are on github: http://github.com/nono/haml/tree/rails_xss. >> >> ++ >> Bruno >> >> >> >> > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Haml" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/haml?hl=en -~----------~----~----~----~------~----~------~--~---
