I can see that -- it's sad that we have this great functionality built right into Ruby, yet we're unable to take advantage of it.
Well, nothing to do about that. Cheers, Daniel Schierbeck On Mon, Apr 5, 2010 at 1:23 AM, Michael Koziarski <mich...@koziarski.com> wrote: >> That seems reasonable. Perhaps the tainting could be moved higher up >> the hierarchy, the ActiveRecord itself? All getters would then return >> tainted strings. Would that not suffice? > > If we used tainting then all it would take is one library to not > return tainted strings, and your application is completely hosed. > > It's not just a question of ActiveRecord either. Apps read strings > from memcached, redis, http (dozens of libraries here), one bug here > and you're hosed. The risk outweighs the slim rewards. > > Tainting was an alluring option initially, but the more you drill down > into it the more of a red-herring it becomes. > > > -- > Cheers > > Koz > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-c...@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-c...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.