Nathaniel S. H. Brown wrote:
I was just reading a blog post, about how PHP applications lack so much as
far as security goes, and it got me thinking that Rails should come default
secure, and you should have to force it to be less secure.
On that note, I came up with the idea of having <%= default to use the XSS
safe (or soon to be) h method.
So, <%=h var %> and <%= var %> are really the same.
Any thoughts?
Several.
* Introducing this will break existing applications, which already make
use of h, since h isn't idempotent.
* If <%= expr %> already produces valid html (or a html fragment like
"</p>", which becomes valid through the page context), applying h to
expr will produce garbage.
* And of course, it would severely hurt performance.
So -10 from me.
-- stefan
--
For rails performance tuning, see: http://railsexpress.de/blog
Subscription: http://railsexpress.de/blog/xml/rss20/feed.xml
_______________________________________________
Rails-core mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails-core
