On Thu, 15 Nov 2007 08:29:54 -0500, Russell Norris wrote: > I can't imagine this isn't going to bite you in the arse later though, > when you use a html-generating helper and get it html-escaped. YMMV > > RSL >
Why would it bite you in the ass? That's the point of having the special operator which would cause output to not be escaped. Getting bit in the ass is when you *forget* to call h(), and as a result have some xss hack output to your page. In my scenario, forgetting to indicate that it shouldn't escape the content results in a little bit of html being output to the screen. Hardly anything more than an annoyance. Plus it's easier to test for the few things that should be allowed, than all of the things that aren't allowed, if you know the rendering engine is taking care of a lot of the "not allowed" by default. Steve --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Haml" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/haml?hl=en -~----------~----~----~----~------~----~------~--~---
