try h(content_tag(:div, "Foo")) then. and see why you might not want to assume everything should be html escaped.
RSL On Nov 15, 2007 8:59 AM, Steve <[EMAIL PROTECTED]> wrote: > > On Thu, 15 Nov 2007 08:29:54 -0500, Russell Norris wrote: > > > I can't imagine this isn't going to bite you in the arse later though, > > when you use a html-generating helper and get it html-escaped. YMMV > > > > RSL > > > > Why would it bite you in the ass? That's the point of having the special > operator which would cause output to not be escaped. Getting bit in the > ass is when you *forget* to call h(), and as a result have some xss hack > output to your page. In my scenario, forgetting to indicate that it > shouldn't escape the content results in a little bit of html being output > to the screen. Hardly anything more than an annoyance. Plus it's easier to > test for the few things that should be allowed, than all of the things > that aren't allowed, if you know the rendering engine is taking care of a > lot of the "not allowed" by default. > > > Steve > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Haml" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/haml?hl=en -~----------~----~----~----~------~----~------~--~---
