On Sun, Feb 12, 2006 at 11:30:31AM -0600, David Heinemeier Hansson wrote: > > I don't personnaly use Basecamp, but if I remember correctly, many > > people view the pages, so what prevents a bad user from doing: > > > > <a href="some link" onclick="do potentially bad thing here">Click me !</a> > > Basecamp is account restricted. You have to be invited and accept the > invitation to become part of a project and see the content. In this > context, the ability of being able to use HTML outweighs the > risk/impact of malicious users (you usually just participate in > projects with people you know). > > On a public forum, it's different. I wouldn't want to allow HTML there.
Allowing that there are some apps which must not allow _any_ script injection (e.g. a bank loan system where the first privacy leak is already a disaster), how about a mix of helpers/features that let one optimize for local style? i.e. let coders carve out areas that should be input escaped, input filtered or output escaped. Favor seldom-write/many-read performance * escape_html :var model method to escape input in model typecasting/wherever; use straight <%= foo %> on output Allow html-rich content * safe_html :var model method to filter for a clean (programmable) subset Be backward compatible * add a <%~ foo %> style to ERB, equivalent to <%= h foo %> I have html filter code (albeit Java) -- I'll dig it up. I can write an erb patch for the Ruby folks. Thoughts? -jeremy _____________________________________________________________________ jeremy wohl ..: http://igmus.org _______________________________________________ Rails-core mailing list Rails-core@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails-core