m4dc4p wrote:

> It's still only about 50% of the solution but I did think it was
> interesting. One problem with it is that Rails is smart enough to HTML
> encode values passed to many of its functions, so you will see
> double-escaping. I also noticed that if I dumped something like
> <%=params.%> on the page (to see all key-value pairs) the "name" value
> inside would NOT be escaped. I don't how that value is displayed
> without to_s being called, though.

I tried to stir up a little discussion about this a few days ago. 
Personally I think the default behaviour of rails apps should be to 
escape data by default and only return unescaped stuff when requested.

I don't think mucking with ERb is such a great idea since it is used for 
lots of other non-rails stuff.

One solution I have been pondering is to modify the method_missing 
function so that when you request an attribute, it escapes the text 
coming back.  It should also define an alternate attribute called 
'unsafe_#{attribute}' or 'unescaped_#{attribute}' in case you really 
want the raw data.

This should protect against any text being retrieved by the database. 
It won't clean up instance variables if they don't originate in the 
database, but this should avoid the majority of problems.

_Kevin

-- 
Posted via http://www.ruby-forum.com/.