Rails security model defaults to non-escaped output

Is there a way to toggle the security model so all output is escaped
by default, and passing <%=n (paragraph) %> when I do not want my
output escaped?
Having to add <%=h () %> currently to do it is cumbersome and prone to
mistakes.


Anthony E.
408-656-2473
http://anthony.ettinger.name

Anthony E. wrote:

Is there a way to toggle the security model so all output is escaped
by default, and passing <%=n (paragraph) %> when I do not want my
output escaped?
Having to add <%=h () %> currently to do it is cumbersome and prone to
mistakes.


Anthony E.
408-656-2473
http://anthony.ettinger.name

Think of it this way…
if <%= … %> always outputted escaped html… then what would happen
with this code?

index.html.erb

<%= render :partial => "content" %> =================

_content.html.erb

some content

output

<p><strong>some content</strong></p> =================

oh yeah…
that’d be a bit rubbish.

hope that helps.

http://workingwithrails.com/person/12394-matthew-rudy-jacobs

But the question was if there was a way to modify the models, not erb.
(which is what changes ruby to strings) And no, there isnt a rails way
to do this you are asking, and unfortunately i dont know any plugins
that do that. I have thought about it myself a few times and if it
really bothers you id suggest writing a plugin for it. im sure it get
much appreciation.

j

On Jul 6, 10:14 pm, Matthew R. Jacobs <rails-mailing-l…@andreas-

=================

<%= render :partial => "content" %> =================

Or indeed <%= link_to …%>, <%= text_field … %>
With the current setup it’s going to be very hard to get this right.

Fred

“Wolas!” wrote:

But the question was if there was a way to modify the models, not erb.
(which is what changes ruby to strings) And no, there isnt a rails way
to do this you are asking, and unfortunately i dont know any plugins
that do that. I have thought about it myself a few times and if it
really bothers you id suggest writing a plugin for it. im sure it get
much appreciation.

j

On Jul 6, 10:14�pm, Matthew R. Jacobs <rails-mailing-l…@andreas-

no, that isn’t what he asked.
He asked about “the security model” in a generic sense.

namely he was asking about erb template escaping.

I imagine if you wanted to escape html on the model level,

you’d just want to do the following.

class Post
def content(escape=true)
if escape
helper.send(:h, self[:content])
else
self[:content]
end
end
end

that worked in rails1.1.6
dont know if it still works.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs