What is the reason that #tainted? wouldn't suffice? Basically, all
tainted strings are HTML escaped; if you wish to circumvent this, mark
your strings as untainted with String#untaint. It seems to me that
#html_safe tries to replicate functionality which is already present
(and more powerful) within Ruby itself.
Should I cook up a patch for this?
Cheers,
Daniel Schierbeck
On Sun, Apr 4, 2010 at 4:52 PM, Jeremy Kemper <jer...@bitsweat.net> wrote:
> On Sun, Apr 4, 2010 at 7:37 AM, Daniel Schierbeck
> <daniel.schierb...@gmail.com> wrote:
>> On Sun, Apr 4, 2010 at 3:54 PM, Jeremy Kemper <jer...@bitsweat.net> wrote:
>>> On Sun, Apr 4, 2010 at 4:51 AM, michael.hasenst...@googlemail.com
>>> <michael.hasenst...@googlemail.com> wrote:
>>>> Hi,
>>>>
>>>> Using Rails 3 (git master) and Ruby 1.9.2-head I noticed I have to
>>>> treat EVERY SINGLE STRING in my app, even things like
>>>>
>>>> link_to " bla", path
>>>>
>>>> with raw(). This is crazy! It is a FIXED string! I understand it when
>>>> variables are concerned, but this is taking it a little too far. One
>>>> might even say the escaping only is necessary if STRING variables are
>>>> introduced, so including number-variables in a(n otherwise fixed)
>>>> string should not trigger the need to use raw().
>>>>
>>>> I only just started but the amount of "raw()" I have to insert into my
>>>> app seems excessive.
>>>
>>> Making the switch to HTML-safety is quite a pain. The grass is greener
>>> on the other side, though!
>>>
>>> You mark just a handful of strings as <%= raw ... %> instead of almost
>>> every string as <%= h ... %> -- less work down the line, plus no
>>> lingering XSS worries.
>>
>> Just out of curiosity, couldn't you use String#tainted? to check
>> whether the string was a literal or not?
>
> Yes! Using native String tainting would have some nice advantages.
>
> Another is that string interpolation would work: "foo #{bar}" is
> tainted if bar is tainted, but it is not html_safe? if bar is
> html_safe?
>
> jeremy
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To post to this group, send email to rubyonrails-c...@googlegroups.com.
> To unsubscribe from this group, send email to
> rubyonrails-core+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-core?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to rubyonrails-c...@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
