What is the reason that #tainted? wouldn't suffice? Basically, all tainted strings are HTML escaped; if you wish to circumvent this, mark your strings as untainted with String#untaint. It seems to me that #html_safe tries to replicate functionality which is already present (and more powerful) within Ruby itself.
Should I cook up a patch for this? Cheers, Daniel Schierbeck On Sun, Apr 4, 2010 at 4:52 PM, Jeremy Kemper <jer...@bitsweat.net> wrote: > On Sun, Apr 4, 2010 at 7:37 AM, Daniel Schierbeck > <daniel.schierb...@gmail.com> wrote: >> On Sun, Apr 4, 2010 at 3:54 PM, Jeremy Kemper <jer...@bitsweat.net> wrote: >>> On Sun, Apr 4, 2010 at 4:51 AM, michael.hasenst...@googlemail.com >>> <michael.hasenst...@googlemail.com> wrote: >>>> Hi, >>>> >>>> Using Rails 3 (git master) and Ruby 1.9.2-head I noticed I have to >>>> treat EVERY SINGLE STRING in my app, even things like >>>> >>>> link_to " bla", path >>>> >>>> with raw(). This is crazy! It is a FIXED string! I understand it when >>>> variables are concerned, but this is taking it a little too far. One >>>> might even say the escaping only is necessary if STRING variables are >>>> introduced, so including number-variables in a(n otherwise fixed) >>>> string should not trigger the need to use raw(). >>>> >>>> I only just started but the amount of "raw()" I have to insert into my >>>> app seems excessive. >>> >>> Making the switch to HTML-safety is quite a pain. The grass is greener >>> on the other side, though! >>> >>> You mark just a handful of strings as <%= raw ... %> instead of almost >>> every string as <%= h ... %> -- less work down the line, plus no >>> lingering XSS worries. >> >> Just out of curiosity, couldn't you use String#tainted? to check >> whether the string was a literal or not? > > Yes! Using native String tainting would have some nice advantages. > > Another is that string interpolation would work: "foo #{bar}" is > tainted if bar is tainted, but it is not html_safe? if bar is > html_safe? > > jeremy > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-c...@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-c...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.