It seems to me that escaping data about to appear in a view in an rhtml template using h / html_escape is further downstream than you really want to be escaping certain data. Wouldn't it make more sense to escape data *before* you store it in the database? This way any code that subsequently picks up the data doesn't have to worry, correct? Has anyone done this? Is there a reason you *wouldn't* want to escape the data prior storage?
on 2007-07-23 21:37