There was a discussion about this on the main rails list a week or two ago...
Basic conclusions that I cam away with were... Since most of the problematic data would be coming from the database, it might be easiest to set up activerecord to escape text by default. This escaping could be turned off in the model definition if necessary. class Model < AR::Base acts_as_unescaped :attribute1, :attribute2 end method_missing could also be set up to recognize things like "#{attribute}_unsafe" to return the unescaped code. This has the bonus effect of self documenting the code and making it obvious when the unescaped value is being used. For example, which code fragment below is returning unescaped text? <%= item.name_unsafe %> or <%= item.name %> Changing ERb will probably lead to enormous headaches at this point. The key thing is to change the default behavior to secure rather than unsecure. If you fail to unescape when the default in secure, you just break the app. If you fail to escape when the default is unsecure, you expose your data. A broken app will be obvious from your tests and can be fixed, an unsecure one probably won't, and you won't know there is a problem until its too late. Sure it will impose a performance hit, but this should really be a secondary concern to security. _Kevin -- Posted with http://DevLists.com. Sign up and save your time! _______________________________________________ Rails-core mailing list Rails-core@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails-core