There was a discussion about this on the main rails list a week or two ago...

Basic conclusions that I cam away with were...

Since most of the problematic data would be coming from the database, it  
might be easiest to set up activerecord to escape text by default.  This  
escaping could be turned off in the model definition if necessary.

class Model < AR::Base
  acts_as_unescaped :attribute1, :attribute2
end

method_missing could also be set up to recognize things like  
"#{attribute}_unsafe" to return the unescaped code.  This has the bonus  
effect of self documenting the code and making it obvious when the  
unescaped value is being used.

For example, which code fragment below is returning unescaped text?

<%= item.name_unsafe %>

or

<%= item.name %>

Changing ERb will probably lead to enormous headaches at this point.

The key thing is to change the default behavior to secure rather than  
unsecure.  If you fail to unescape when the default in secure, you just  
break the app.  If you fail to escape when the default is unsecure, you  
expose your data.

A broken app will be obvious from your tests and can be fixed, an  
unsecure one probably won't, and you won't know there is a problem until  
its too late.

Sure it will impose a performance hit, but this should really be a  
secondary concern to security.

_Kevin

-- 
Posted with http://DevLists.com.  Sign up and save your time!
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core

Reply via email to