The problem is not working out how to unescape HTML -- CE already stores safe HTML unescaped in its database, having passed it through WhiteList before storing it to ensure that it is not, in fact, malicious. The problem is deciding when and how to override Haml's default escaping of HTML it sends to the browser. The safe thing to do is probably to override HTML escaping only where it's needed (preserve sanitized user formatting, etc.), but you could argue that since CE is very careful about what it already stores in the database and sends to the browser, you don't need the extra level of protection from Rails/Haml. I'm hoping Bruno will weigh in and suggest the right way to handle this such that he would accept a patch.
--Hugh -- You received this message because you are subscribed to the Google Groups "CommunityEngine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/communityengine?hl=en.
