On 2/12/06, Nathaniel S. H. Brown <[EMAIL PROTECTED]> wrote: > I was just reading a blog post, about how PHP applications lack so much as > far as security goes, and it got me thinking that Rails should come default > secure, and you should have to force it to be less secure. > > On that note, I came up with the idea of having <%= default to use the XSS > safe (or soon to be) h method. > > So, <%=h var %> and <%= var %> are really the same. > > Any thoughts?
Unftortunately this would break existing applications which rely on the original behaviour. So even if we thought it was something we'd like to do, it'd have to wait until rails 2.0. It's also a little counter-intuitive, I don't know that I like the idea. -- Cheers Koz _______________________________________________ Rails-core mailing list Rails-core@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails-core
