> A different approach might be to leave <%= alone and introduce a > different ERB operator that is XSS safe, perhaps <%: ... my point is > there are probably lots of different ways to attack this problem.
How is that operator different from <%=h my_string %>? Here's a suggestion: If you use html_escape more than regular output, bind your TextMate (or whatever editor) hotkey for ERb outputs to include the h by default. That'd be a very Less Software approach to doing the same. > Are there more important issues to address? Probably. In my humble opinion, labeling this as though it would rid the world of XSS is simplistic. It's a noble goal to be pursuing that, but the interesting parts around that is how you deal with XSS when you WANT to allow some HTML. In any case, I applaud anyone who wishes to make it easier for people to deal with XSS. And I can see on this thread that the slaps Nathaniel got could indeed be misconstrued as being about whether XSS is important to deal with or not. That's not as helpful as simply providing the reasons why _this_ particular suggestion is not going to work. So -1 on the specifics, +1 on the intentions. Keep thinking. -- David Heinemeier Hansson http://www.loudthinking.com -- Broadcasting Brain http://www.basecamphq.com -- Online project management http://www.backpackit.com -- Personal information manager http://www.rubyonrails.com -- Web-application framework _______________________________________________ Rails-core mailing list Rails-core@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails-core
