That's a valid concern, but I think trying it out is the best approach
-- then we'll se if any problems arise. Having a #html_safe wrapper
around the tainting also yields some flexibility.
Cheers,
Daniel Schierbeck
On Sun, Apr 4, 2010 at 5:26 PM, Jeremy Kemper <jer...@bitsweat.net> wrote:
> On Sun, Apr 4, 2010 at 8:23 AM, Daniel Schierbeck
> <daniel.schierb...@gmail.com> wrote:
>> What is the reason that #tainted? wouldn't suffice? Basically, all
>> tainted strings are HTML escaped; if you wish to circumvent this, mark
>> your strings as untainted with String#untaint. It seems to me that
>> #html_safe tries to replicate functionality which is already present
>> (and more powerful) within Ruby itself.
>>
>> Should I cook up a patch for this?
>
> The problem with tainted is that it's a single flag for everybody to
> share. It may have different meanings in different libraries.
>
> Say, a database driver checks taint to see whether strings should be
> SQL-escaped.
>
> I think the benefits of using tainting in the common case, 99% of
> usage, far outweigh these unlikelihoods though.
>
> jeremy
>
>> Cheers,
>> Daniel Schierbeck
>>
>> On Sun, Apr 4, 2010 at 4:52 PM, Jeremy Kemper <jer...@bitsweat.net> wrote:
>>> On Sun, Apr 4, 2010 at 7:37 AM, Daniel Schierbeck
>>> <daniel.schierb...@gmail.com> wrote:
>>>> On Sun, Apr 4, 2010 at 3:54 PM, Jeremy Kemper <jer...@bitsweat.net> wrote:
>>>>> On Sun, Apr 4, 2010 at 4:51 AM, michael.hasenst...@googlemail.com
>>>>> <michael.hasenst...@googlemail.com> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Using Rails 3 (git master) and Ruby 1.9.2-head I noticed I have to
>>>>>> treat EVERY SINGLE STRING in my app, even things like
>>>>>>
>>>>>> link_to " bla", path
>>>>>>
>>>>>> with raw(). This is crazy! It is a FIXED string! I understand it when
>>>>>> variables are concerned, but this is taking it a little too far. One
>>>>>> might even say the escaping only is necessary if STRING variables are
>>>>>> introduced, so including number-variables in a(n otherwise fixed)
>>>>>> string should not trigger the need to use raw().
>>>>>>
>>>>>> I only just started but the amount of "raw()" I have to insert into my
>>>>>> app seems excessive.
>>>>>
>>>>> Making the switch to HTML-safety is quite a pain. The grass is greener
>>>>> on the other side, though!
>>>>>
>>>>> You mark just a handful of strings as <%= raw ... %> instead of almost
>>>>> every string as <%= h ... %> -- less work down the line, plus no
>>>>> lingering XSS worries.
>>>>
>>>> Just out of curiosity, couldn't you use String#tainted? to check
>>>> whether the string was a literal or not?
>>>
>>> Yes! Using native String tainting would have some nice advantages.
>>>
>>> Another is that string interpolation would work: "foo #{bar}" is
>>> tainted if bar is tainted, but it is not html_safe? if bar is
>>> html_safe?
>>>
>>> jeremy
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Ruby on Rails: Core" group.
>>> To post to this group, send email to rubyonrails-c...@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> rubyonrails-core+unsubscr...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/rubyonrails-core?hl=en.
>>>
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ruby on Rails: Core" group.
>> To post to this group, send email to rubyonrails-c...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> rubyonrails-core+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/rubyonrails-core?hl=en.
>>
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To post to this group, send email to rubyonrails-c...@googlegroups.com.
> To unsubscribe from this group, send email to
> rubyonrails-core+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-core?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to rubyonrails-c...@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
