We did this in OpenACS where I used to contribute, and found it to be
a really bad idea, only too late.
Variable interpolation in OpenACS is done with @varname@, and to
avoid the HTML quoting, you have to say @varname;[EMAIL PROTECTED]
The reasons are the same as stated here:
1) It turns out that quoting is the exception, not the norm
2) It broke so many things that relied on this, that all the lower
level services had to put ;noquote everywhere.
3) It hurt performance.
I'd also vote -10.
What we should do is encourage people to thing of "<%=h" as a common
idiom in the "getting started" documentation and examples.
/Lars
On Feb 12, 2006, at 7:50 AM, Stefan Kaes wrote:
Nathaniel S. H. Brown wrote:
I was just reading a blog post, about how PHP applications lack so
much as
far as security goes, and it got me thinking that Rails should
come default
secure, and you should have to force it to be less secure.
On that note, I came up with the idea of having <%= default to use
the XSS
safe (or soon to be) h method.
So, <%=h var %> and <%= var %> are really the same.
Any thoughts?
Several.
* Introducing this will break existing applications, which already
make use of h, since h isn't idempotent.
* If <%= expr %> already produces valid html (or a html fragment
like "</p>", which becomes valid through the page context),
applying h to expr will produce garbage.
* And of course, it would severely hurt performance.
So -10 from me.
-- stefan
--
For rails performance tuning, see: http://railsexpress.de/blog
Subscription: http://railsexpress.de/blog/xml/rss20/feed.xml
_______________________________________________
Rails-core mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails-core
_______________________________________________
Rails-core mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails-core
