Rails is supposed to be developer-friendly AFAICT, so if the name is indeed misleading and makes people assume this feature is meant for something else, we should probably rename it specially given there's a major version being worked on.
On Wed, Feb 4, 2015 at 4:08 PM, Nicolas Cavigneaux <n...@bounga.org> wrote: > > Le 4 févr. 2015 à 12:00, Magne <magn...@gmail.com> a écrit : > > > I ran into a situation with .html_safe when communicating with a fellow > programmer, and discovered that the method name isn't as clear as desired. > > > > .html_safe does not mean "please make this html safe", it's the opposite > - it is you the programmer telling rails that "this string is html safe, > promise!" > > > > This can be confused by programmers, and hence be a potential security > risk. A programmer should be able to read the name of a method and > unambiguously be able to predict what it does, precisely. > > Every Rails developer, even beginners should be aware of #html_safe and > how it works since Rails escapes all strings by default. If the developer > wants to use #html_safe then there are two possibility: > > - he do wants to mark the string as safe so he searched how to do it and > found #html_safe. Everything is OK. > - he saw #html_safe somewhere, didn’t even try to see if strings are > already escaped or not, didn’t even read the API doc for #html_safe. He was > just like « Ok I’m going to put this everywhere to secure my code ! » > > This second developer is dumb… Sorry. It means he didn’t even read any doc > or the Rails guide. Don’t let him touch your code until he knows some basis! > > I think even a beginner should be aware that Rails escapes strings for > you. If he isn’t aware of that he needs some training or at least to have > some read. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-core+unsubscr...@googlegroups.com. > To post to this group, send email to rubyonrails-core@googlegroups.com. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
