There was a discussion about this on the main rails list a week or two ago...
Basic conclusions that I cam away with were...
Since most of the problematic data would be coming from the database, it
might be easiest to set up activerecord to escape text by default. This
escaping could be turned off in the model definition if necessary.
class Model < AR::Base
acts_as_unescaped :attribute1, :attribute2
end
method_missing could also be set up to recognize things like
"#{attribute}_unsafe" to return the unescaped code. This has the bonus
effect of self documenting the code and making it obvious when the
unescaped value is being used.
For example, which code fragment below is returning unescaped text?
<%= item.name_unsafe %>
or
<%= item.name %>
Changing ERb will probably lead to enormous headaches at this point.
The key thing is to change the default behavior to secure rather than
unsecure. If you fail to unescape when the default in secure, you just
break the app. If you fail to escape when the default is unsecure, you
expose your data.
A broken app will be obvious from your tests and can be fixed, an
unsecure one probably won't, and you won't know there is a problem until
its too late.
Sure it will impose a performance hit, but this should really be a
secondary concern to security.
_Kevin
--
Posted with http://DevLists.com. Sign up and save your time!
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core
