Rails security model defaults to non-escaped output

chovy · July 6, 2008, 9:03pm

Is there a way to toggle the security model so all output is escaped
by default, and passing <%=n (paragraph) %> when I do not want my
output escaped?
Having to add <%=h () %> currently to do it is cumbersome and prone to
mistakes.

–
Anthony E.
408-656-2473
http://anthony.ettinger.name

chovy · July 6, 2008, 11:14pm

Anthony E. wrote:

Is there a way to toggle the security model so all output is escaped
by default, and passing <%=n (paragraph) %> when I do not want my
output escaped?
Having to add <%=h () %> currently to do it is cumbersome and prone to
mistakes.

–
Anthony E.
408-656-2473
http://anthony.ettinger.name

Think of it this way…
if <%= … %> always outputted escaped html… then what would happen
with this code?

index.html.erb

<%= render :partial => "content" %> =================

_content.html.erb

some content

=================

output

<p><strong>some content</strong></p> =================

oh yeah…
that’d be a bit rubbish.

hope that helps.

http://workingwithrails.com/person/12394-matthew-rudy-jacobs

chovy · July 6, 2008, 11:26pm

But the question was if there was a way to modify the models, not erb.
(which is what changes ruby to strings) And no, there isnt a rails way
to do this you are asking, and unfortunately i dont know any plugins
that do that. I have thought about it myself a few times and if it
really bothers you id suggest writing a plugin for it. im sure it get
much appreciation.

j

On Jul 6, 10:14 pm, Matthew R. Jacobs <rails-mailing-l…@andreas-

chovy · July 7, 2008, 12:24am

=================
<%= render :partial => "content" %> =================

Or indeed <%= link_to …%>, <%= text_field … %>
With the current setup it’s going to be very hard to get this right.

Fred

chovy · July 6, 2008, 11:32pm

“Wolas!” wrote:

But the question was if there was a way to modify the models, not erb.
(which is what changes ruby to strings) And no, there isnt a rails way
to do this you are asking, and unfortunately i dont know any plugins
that do that. I have thought about it myself a few times and if it
really bothers you id suggest writing a plugin for it. im sure it get
much appreciation.

j

On Jul 6, 10:14ï¿½pm, Matthew R. Jacobs <rails-mailing-l…@andreas-

no, that isn’t what he asked.
He asked about “the security model” in a generic sense.

namely he was asking about erb template escaping.

I imagine if you wanted to escape html on the model level,

you’d just want to do the following.

class Post
def content(escape=true)
if escape
helper.send(:h, self[:content])
else
self[:content]
end
end
end

that worked in rails1.1.6
dont know if it still works.