On Sun, Apr 4, 2010 at 7:54 AM, Prem Sichanugrist <sikand...@gmail.com> wrote:
> If you are certain that your string is safe, then you can mark it as
> html_safe by doing this:
>
> ?<%= link_to " bla".html_safe, path %>
Prem, yes. The original poster's concern is that literal strings are
already known to be HTML-safe, so having to state it again is annoying
and not DRY.
> On 4 ??.?. 2553, at 21:52, Jeremy Kemper wrote:
>
>> On Sun, Apr 4, 2010 at 7:37 AM, Daniel Schierbeck
>> <daniel.schierb...@gmail.com> wrote:
>>> On Sun, Apr 4, 2010 at 3:54 PM, Jeremy Kemper <jer...@bitsweat.net> wrote:
>>>> On Sun, Apr 4, 2010 at 4:51 AM, michael.hasenst...@googlemail.com
>>>> <michael.hasenst...@googlemail.com> wrote:
>>>>> Hi,
>>>>>
>>>>> Using Rails 3 (git master) and Ruby 1.9.2-head I noticed I have to
>>>>> treat EVERY SINGLE STRING in my app, even things like
>>>>>
>>>>> ?link_to " bla", path
>>>>>
>>>>> with raw(). This is crazy! It is a FIXED string! I understand it when
>>>>> variables are concerned, but this is taking it a little too far. One
>>>>> might even say the escaping only is necessary if STRING variables are
>>>>> introduced, so including number-variables in a(n otherwise fixed)
>>>>> string should not trigger the need to use raw().
>>>>>
>>>>> I only just started but the amount of "raw()" I have to insert into my
>>>>> app seems excessive.
>>>>
>>>> Making the switch to HTML-safety is quite a pain. The grass is greener
>>>> on the other side, though!
>>>>
>>>> You mark just a handful of strings as <%= raw ... %> instead of almost
>>>> every string as <%= h ... %> -- less work down the line, plus no
>>>> lingering XSS worries.
>>>
>>> Just out of curiosity, couldn't you use String#tainted? to check
>>> whether the string was a literal or not?
>>
>> Yes! Using native String tainting would have some nice advantages.
>>
>> Another is that string interpolation would work: "foo #{bar}" is
>> tainted if bar is tainted, but it is not html_safe? if bar is
>> html_safe?
>>
>> jeremy
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ruby on Rails: Core" group.
>> To post to this group, send email to rubyonrails-c...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> rubyonrails-core+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/rubyonrails-core?hl=en.
>>
>
>
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to rubyonrails-c...@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
