That's a valid concern, but I think trying it out is the best approach -- then we'll se if any problems arise. Having a #html_safe wrapper around the tainting also yields some flexibility.
Cheers, Daniel Schierbeck On Sun, Apr 4, 2010 at 5:26 PM, Jeremy Kemper <jer...@bitsweat.net> wrote: > On Sun, Apr 4, 2010 at 8:23 AM, Daniel Schierbeck > <daniel.schierb...@gmail.com> wrote: >> What is the reason that #tainted? wouldn't suffice? Basically, all >> tainted strings are HTML escaped; if you wish to circumvent this, mark >> your strings as untainted with String#untaint. It seems to me that >> #html_safe tries to replicate functionality which is already present >> (and more powerful) within Ruby itself. >> >> Should I cook up a patch for this? > > The problem with tainted is that it's a single flag for everybody to > share. It may have different meanings in different libraries. > > Say, a database driver checks taint to see whether strings should be > SQL-escaped. > > I think the benefits of using tainting in the common case, 99% of > usage, far outweigh these unlikelihoods though. > > jeremy > >> Cheers, >> Daniel Schierbeck >> >> On Sun, Apr 4, 2010 at 4:52 PM, Jeremy Kemper <jer...@bitsweat.net> wrote: >>> On Sun, Apr 4, 2010 at 7:37 AM, Daniel Schierbeck >>> <daniel.schierb...@gmail.com> wrote: >>>> On Sun, Apr 4, 2010 at 3:54 PM, Jeremy Kemper <jer...@bitsweat.net> wrote: >>>>> On Sun, Apr 4, 2010 at 4:51 AM, michael.hasenst...@googlemail.com >>>>> <michael.hasenst...@googlemail.com> wrote: >>>>>> Hi, >>>>>> >>>>>> Using Rails 3 (git master) and Ruby 1.9.2-head I noticed I have to >>>>>> treat EVERY SINGLE STRING in my app, even things like >>>>>> >>>>>> link_to " bla", path >>>>>> >>>>>> with raw(). This is crazy! It is a FIXED string! I understand it when >>>>>> variables are concerned, but this is taking it a little too far. One >>>>>> might even say the escaping only is necessary if STRING variables are >>>>>> introduced, so including number-variables in a(n otherwise fixed) >>>>>> string should not trigger the need to use raw(). >>>>>> >>>>>> I only just started but the amount of "raw()" I have to insert into my >>>>>> app seems excessive. >>>>> >>>>> Making the switch to HTML-safety is quite a pain. The grass is greener >>>>> on the other side, though! >>>>> >>>>> You mark just a handful of strings as <%= raw ... %> instead of almost >>>>> every string as <%= h ... %> -- less work down the line, plus no >>>>> lingering XSS worries. >>>> >>>> Just out of curiosity, couldn't you use String#tainted? to check >>>> whether the string was a literal or not? >>> >>> Yes! Using native String tainting would have some nice advantages. >>> >>> Another is that string interpolation would work: "foo #{bar}" is >>> tainted if bar is tainted, but it is not html_safe? if bar is >>> html_safe? >>> >>> jeremy >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Ruby on Rails: Core" group. >>> To post to this group, send email to rubyonrails-c...@googlegroups.com. >>> To unsubscribe from this group, send email to >>> rubyonrails-core+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/rubyonrails-core?hl=en. >>> >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To post to this group, send email to rubyonrails-c...@googlegroups.com. >> To unsubscribe from this group, send email to >> rubyonrails-core+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-c...@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-c...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.