On Sun, Apr 4, 2010 at 7:37 AM, Daniel Schierbeck
<daniel.schierb...@gmail.com> wrote:
> On Sun, Apr 4, 2010 at 3:54 PM, Jeremy Kemper <jer...@bitsweat.net> wrote:
>> On Sun, Apr 4, 2010 at 4:51 AM, michael.hasenst...@googlemail.com
>> <michael.hasenst...@googlemail.com> wrote:
>>> Hi,
>>>
>>> Using Rails 3 (git master) and Ruby 1.9.2-head I noticed I have to
>>> treat EVERY SINGLE STRING in my app, even things like
>>>
>>> link_to " bla", path
>>>
>>> with raw(). This is crazy! It is a FIXED string! I understand it when
>>> variables are concerned, but this is taking it a little too far. One
>>> might even say the escaping only is necessary if STRING variables are
>>> introduced, so including number-variables in a(n otherwise fixed)
>>> string should not trigger the need to use raw().
>>>
>>> I only just started but the amount of "raw()" I have to insert into my
>>> app seems excessive.
>>
>> Making the switch to HTML-safety is quite a pain. The grass is greener
>> on the other side, though!
>>
>> You mark just a handful of strings as <%= raw ... %> instead of almost
>> every string as <%= h ... %> -- less work down the line, plus no
>> lingering XSS worries.
>
> Just out of curiosity, couldn't you use String#tainted? to check
> whether the string was a literal or not?
Yes! Using native String tainting would have some nice advantages.
Another is that string interpolation would work: "foo #{bar}" is
tainted if bar is tainted, but it is not html_safe? if bar is
html_safe?
jeremy
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to rubyonrails-c...@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
