Good point. We could always make it a configuration option for 1.0?
-Nb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nathaniel S. H. Brown http://nshb.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Michael Koziarski > Sent: February 11, 2006 8:31 PM > To: rails-core@lists.rubyonrails.org > Subject: Re: [Rails-core] Default <%= to use the h (html safe) method. > > On 2/12/06, Nathaniel S. H. Brown <[EMAIL PROTECTED]> wrote: > > I was just reading a blog post, about how PHP applications lack so > > much as far as security goes, and it got me thinking that > Rails should > > come default secure, and you should have to force it to be > less secure. > > > > On that note, I came up with the idea of having <%= default > to use the > > XSS safe (or soon to be) h method. > > > > So, <%=h var %> and <%= var %> are really the same. > > > > Any thoughts? > > Unftortunately this would break existing applications which > rely on the original behaviour. So even if we thought it was > something we'd > like to do, it'd have to wait until rails 2.0. It's also a little > counter-intuitive, I don't know that I like the idea. > > -- > Cheers > > Koz > _______________________________________________ > Rails-core mailing list > Rails-core@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails-core > _______________________________________________ Rails-core mailing list Rails-core@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails-core
