Why escape HTML in the view?

Hey,

I don’t understand why Rails seems to mandate escaping HTML in the view
rather than when it’s inserted into the database. I cringe when I think
about all those needlessly repeated function calls.

What’s the deal?

Why don’t just escape it when it is inserted then? Overload the
accessor to process the strings in the model.

-carl

Ian L. wrote:

I don’t understand why Rails seems to mandate escaping HTML in the view
rather than when it’s inserted into the database. I cringe when I think
about all those needlessly repeated function calls.

To make sure that nothing in the database, whether it was inserted by
your application or not, will break your views.

– Marcus

On 9/21/06, Marcus B. [email protected] wrote:

I don’t understand why Rails seems to mandate escaping HTML in the view
rather than when it’s inserted into the database. I cringe when I think
about all those needlessly repeated function calls.

To make sure that nothing in the database, whether it was inserted by
your application or not, will break your views.

Of course, Rails opinion is that it is the only thing touching the
database. I’d say the reason you would want it in plain text in the
database by default is that you wouldn’t necessarily always be
outputing HTML. If you never plan on needing anything other than the
HTML output, than by all means, store HTML in the database. However,
in most cases, doing so from the start would be a premature
optimization.

Jeremy

@Ian

I don’t believe that Rails mandates that you escape your characters.
Only
the default scaffolding does that. It’s a good idea to do it because it
allows you to be flexible.

Of course, it would be a fun excercise to makes an acts_as_sanitized
plugin
that would sanitize the data coming in to the model. Should be pretty
easy
to do too… it might be a good excercise for someone wanting to write
his
or her first plugin.

Ian L. wrote:

Hey,

I don’t understand why Rails seems to mandate escaping HTML in the view
rather than when it’s inserted into the database. I cringe when I think
about all those needlessly repeated function calls.

What’s the deal?

Because HTML escaping is part of the process of presenting the
information as HTML. There may be other ways of getting to the data,
e.g. via a web service or in a CSV report.

regards

Justin

Brian H. wrote:

Of course, it would be a fun excercise to makes an acts_as_sanitized
plugin that would sanitize the data coming in to the model. Should be
pretty easy to do too… it might be a good excercise for someone
wanting to write his or her first plugin.

Here’s one I prepared earlier:

http://groups.google.com/group/rubyonrails-core/msg/61913e7144507590


We develop, watch us RoR, in numbers too big to ignore.

On Thu, Sep 21, 2006 at 03:54:13PM +0100, Ian L. wrote:

Hey,

I don’t understand why Rails seems to mandate escaping HTML in the view
rather than when it’s inserted into the database. I cringe when I think
about all those needlessly repeated function calls.

What’s the deal?

Because you’re not storing HTML, you’re storing text. HTML is one
possible (albeit likely) presentation format. Other people may want to
work with your data, though, outside of a web browser.

Store text, and run it through “h” when you need to show it in a
browser.

Michael

Michael Darrin Chaney
[email protected]
http://www.michaelchaney.com/

I hadn’t taken into consideration media types other than HTML, and I do
plan
to output XML at some point.
I agree with Jeremy that it’s a premature optimization, I’ll reassess
the
issue in the future.

Thanks for pointing me in the right direction.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs