On 15 Feb 2006 15:39:25 -0000, Kevin Olbrich <[EMAIL PROTECTED]> wrote: > > On Wednesday, February 15, 2006, at 2:50 PM, Tom Ward wrote: > >This is a bad idea. It assumes data from ActiveRecord models only > >ever displayed on the web. This ignores email templates, logging, etc > >from within web apps, not to mention applications using ActiveRecord > >outside the web.
> The idea of the plugin would be to make it easy to turn off the behavior > if you found it necessary to do so. In my view, if escaping the text by > default causes problems then you at least have to think about turning it > off. Besides, sneaky code can be a problem in places other than > rendered html. I've no problem making html output secure by default, but ActiveRecord is the wrong place to do this, even as a plugin. Many applications have a wide range of output formats, not just ERb generated html, and changing ActiveRecord will affect them all. I should only have to think about turning escaping off in places where it could have been a problem in the first place. Tom Ward -- nick: tomafro
_______________________________________________ Rails-core mailing list [email protected] http://lists.rubyonrails.org/mailman/listinfo/rails-core
