Hi, the future releases of Rails, 2.3.5 and 3.0, will mark string as html_safe if they can be outputted safely. You can see the details about that on this commit for the 2.3 branch: http://github.com/rails/rails/commit/80da8eb43dfabb4ca9f0adcb431882d03e6388bb.
The idea behind this change is to have an on-by-default XSS escaping in Rails. RailsXss (http://github.com/nzkoz/rails_xss) is a plugin for Rails 2.3 that brings this safety by using erubis. Haml has a already an option for automatically escaping HTML strings, but it can be improved by not escaping strings that are already marked as html_safe. For example, the following line should output a link: Click on #{link_to 'this link', '/this-link'} If the auto-escaping is enabled, haml will escape it, but Rails marks the result of link_to as safe, so haml should not escape it. I've tried to modify the code of haml, but I'm not very confident in my changes, so a code review is welcomed. The changes are on github: http://github.com/nono/haml/tree/rails_xss. ++ Bruno --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Haml" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/haml?hl=en -~----------~----~----~----~------~----~------~--~---
