Escaping Data to Prevent XSS When It Gets Stored


#1

It seems to me that escaping data about to appear in a view in an
rhtml template using h / html_escape is further downstream than you
really want to be escaping certain data. Wouldn’t it make more sense
to escape data before you store it in the database? This way any
code that subsequently picks up the data doesn’t have to worry,
correct? Has anyone done this? Is there a reason you wouldn’t want
to escape the data prior storage?