Safe Erb plugin Implementation Issue


I am trying to implement the Safe Erb Plugin in my rails 2.0.2 app. I am
using this version for project specific purposes along with Ruby 1.8.7.

I have referred to the following tutorials:

I could make only some sense of the above Url’s as I am a newbie to
Rails and Rails related plugins. I honestly also found the above
tutorials to be very generic.

I really also couldn’t relate this plugin’s use to a great extent in
terms of real world sense from the above tutorials. Could you please
enlighten me on its usage on a day to day real world…?

I have implemented a books appl which has an author, title and
publishing date. I am currently facing issues implementing the taint
feature of this plugin

In the second tutorial, they say we need to call the tainted? method
from the Objects class. I have done this in my create method of my
books_controller.rb. The code for the create method looks like this:

def create
@book =[:book])
@book.publishing_date = params[:publishing_date]

respond_to do |format|

    flash[:notice] = 'Book was successfully created.'
    format.html { redirect_to(@book) }
    format.xml  { render :xml => @book, :status => :created,

:location => @book }
format.html { render :action => “new” }
format.xml { render :xml => @book.errors, :status =>
:unprocessable_entity }

  if @book.tainted?
    flash[:notice] = 'Books are tainted'
    format.html { redirect_to(@book) }
    format.xml  { render :xml => @book, :status => :created,

:location => @book }
flash[:notice] = ‘Books aren’t tainted’
format.html { render :action => “new” }
format.xml { render :xml => @book.errors, :status =>
:unprocessable_entity }


Upon creating a new book record I get a notice saying that “Books aren’t
tainted”. I have
copied this plugin into my vendor/plugins directory.

As per the second tutorial url they say “The string becomes tainted when
it is read from IO, such as the data read from the DB or HTTP request.”

But its not happening in my case when I try to create a new book record.
Do I need to explicitly taint the string input I am taking(its currently
in varchar as per DB types - I guess that shouldn’t be an issue). If yes
could you please tell me how to do it.


if its not the above case… Am I missing something?

Any insights on this would be really appreciated.

Thank you…

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs