+1 Would reduce clutter on the templates. It's pretty annoying to have to remember to put them in, and even more annoying to get tickets from QA about XSS.
On 2/11/06, Nathaniel S. H. Brown <[EMAIL PROTECTED]> wrote: > I was just reading a blog post, about how PHP applications lack so much as > far as security goes, and it got me thinking that Rails should come default > secure, and you should have to force it to be less secure. > > On that note, I came up with the idea of having <%= default to use the XSS > safe (or soon to be) h method. > > So, <%=h var %> and <%= var %> are really the same. > > Any thoughts? > > -Nb > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Nathaniel S. H. Brown http://nshb.net > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > _______________________________________________ > Rails-core mailing list > Rails-core@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails-core > _______________________________________________ Rails-core mailing list Rails-core@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails-core
