2006/2/12, Tobias Luetke <[EMAIL PROTECTED]>:
> By escaping the html your customers input you potentially disable a
> lot of cool features.
>
> For example we use html to make links in todo list items in basecamp
> all the time. Couldn't do that if it was escaped.

Isn't Textile quite suited to this sort of task ?  Wouldn't it be safer ?

I don't personnaly use Basecamp, but if I remember correctly, many
people view the pages, so what prevents a bad user from doing:

<a href="some link" onclick="do potentially bad thing here">Click me !</a>

???

Thanks !
--
François Beausoleil
http://blog.teksol.info/
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core

Reply via email to