[ANN] Cross Site Sniper 0.2 (stable)

I’m pleased to announce the release of Cross Site Sniper 0.2.

Cross Site Sniper is one more addition to the ever growing list of tools
that attempt to provide a convenient and DRY method to protect Rails
sites from Cross Site Scripting (XSS) attacks. There are many plugins
and tools out there that attempt to address this issue, but none of them
met my requirements. So, I created Cross Site Sniper, a Ruby on Rails
plugin that automatically wraps html_escape() around ActiveRecord
attribute methods associated with string and text fields in the


  • All ActiveRecord classes have their dynamically generated accessor
    methods associated with String and Text fields automatically escaped.
    So, no matter if you’re calling the method from a view, a helper, or
    within a controller as part of a RJS response, you don’t need to
    remember to wrap it in h(), because it’s already escaped.

  • Form fields on edit forms prepopulate with unescaped data Users
    edit exactly what they originally submitted, without special characters
    disappearing or unexpectedly morphing into strings of other characters.

  • Easy one-time access to unescaped data when you need it. eg:

  • A convenience method for class definitions is available to fine tune
    which string and text fields get escaped automatically.

  • Original unescaped text is stored in the database and escaped on
    output This allows for unescaped data to be accessed more conveniently
    when necessary, and improved scrubbing techniques to be instantly
    applied to legacy data simply by upgrading or swapping out the plugin
    with another. ( Some xss plugins choose to escape the data on input, a
    philosophy I don’t personally agree with but some people do, so I
    thought it was important to explicitly mention this feature here so
    people could make informed decisions. )

Documentation and Installation instructions are at

Feed back and suggestions are welcome and encouraged. Big thanks to my
employer ( www.wwidea.org ) for allowing this code to be released to the
community under the MIT License.