Two quick questions:

  1. Does scaffolding (and in particular the show() method) do any
    escaping of strings coming from the database? I did a quick check,
    and it doesn’t seem to (or possibly it only escapes “dangerous” code,
    and it was smart enough to see that mine was not dangerous).

  2. A lot of the documentation for testing seems to refer to an older
    configuration. Now, out of the box, it expects you to use a
    transactional database and does not create all the conveniance
    instance variables. I’ve only found one online resource that
    discusses this (not hosted on the RoR website). Is there any
    “official” documentation to the new testing setup?