Koz, The problem is that we're telling people that XSS is on by default, when using an alternate template engine drives a big truck through that firewall.
We need a simple API for alternate template engines opting in to this behavior. Nathan, what about the current APIs is too cumbersome for your needs? Koz, Any thoughts on how we might make it easier to opt in? What about a dev. mode warning if you're using a template engine that doesn't escape? -- Yehuda On Sun, Oct 11, 2009 at 11:02 AM, Michael Koziarski <mich...@koziarski.com>wrote: > > > I'm the maintainer of Haml, and I've been hearing all about the new on- > > by-default XSS protection stuff. I'm wondering what your plan for > > compatibility with alternate templating engines is. I'd really > > appreciate not having to come up with all sorts of alternate > > compilation paths for Rails code with XSS protection enabled - this > > would make the code much more brittle, and apt to break in odd Rails- > > specific ways that will be hard for users to understand and hard for > > me to track down. > > Your templating engine should continue to work 100% without any > errors. The 'escape-me' behaviour is limited to the erb template > handler (builder already does this obviously). > > If you *want* on by default escaping you'll just need to work with an > ActionView::SafeBuffer instead of a string. > > The only surprise you could get is if you use with_output_buffer and > *don't* pass it a buffer, in that case it'll now default to a safe > buffer. > > > - Nathan Weizenbaum > > > > > > > > > -- > Cheers > > Koz > > > > -- Yehuda Katz Developer | Engine Yard (ph) 718.877.1325 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
