The main issue with taint is that it's a blacklist operation. This means that we'd be relying on all libraries that could retrieve persisted user data to properly taint their Strings. In contrast, the html_safe approach assumes that all Strings are unsafe, until they are marked safe.
Rails internally marks its own Strings as safe, which is why you don't need to mark form_for, link_to, etc. as html_safe. Yehuda Katz Developer | Engine Yard (ph) 718.877.1325 On Sun, Apr 4, 2010 at 8:55 AM, Daniel Schierbeck < daniel.schierb...@gmail.com> wrote: > That seems reasonable. Perhaps the tainting could be moved higher up > the hierarchy, the ActiveRecord itself? All getters would then return > tainted strings. Would that not suffice? > > > Cheers, > Daniel Schierbeck > > On Sun, Apr 4, 2010 at 5:41 PM, Mike Gunderloy <larkw...@gmail.com> wrote: > > NzKoz's original note on why he didn't go with #tainted?: > http://groups.google.com/group/rubyonrails-core/browse_thread/thread/d04d32341b4790c4/444e732a0b265f96?lnk=gst&q=taint#444e732a0b265f96 > > > > -- > > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > > To post to this group, send email to rubyonrails-c...@googlegroups.com. > > To unsubscribe from this group, send email to > rubyonrails-core+unsubscr...@googlegroups.com<rubyonrails-core%2bunsubscr...@googlegroups.com> > . > > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-c...@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscr...@googlegroups.com<rubyonrails-core%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-c...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
