Maybe a simple wiki page with a table listing the currently supported template engines and it's features is enough. One of these features would obviously be "XSS safe"
On Mon, 2009-10-12 at 10:14 +1300, Michael Koziarski wrote: > On Mon, Oct 12, 2009 at 10:04 AM, Yehuda Katz <wyc...@gmail.com> wrote: > > Koz, > > The problem is that we're telling people that XSS is on by default, when > > using an alternate template engine drives a big truck through that firewall. > > There's no way to avoid this, template engines maintain their own > buffer which we have no control over. > > > Koz, Any thoughts on how we might make it easier to opt in? What about a > > dev. mode warning if you're using a template engine that doesn't escape? > > The only way we could detect this is if a render call returned > something other than a SafeBuffer and was an engine other than > builder. I think you're making more out of this than you need to, > alternative engines such as ones which generate pdfs or other non-html > formats have nothing to do with this. > > I'd be happy if we rejigged the marketing message to say "erb and > builder templates are xss safe" but that seems needless hesitation. > It's trivial for other templates to opt in, and I say we just > encourage them to. > > > > > -- Yehuda > > > > On Sun, Oct 11, 2009 at 11:02 AM, Michael Koziarski <mich...@koziarski.com> > > wrote: > >> > >> > I'm the maintainer of Haml, and I've been hearing all about the new on- > >> > by-default XSS protection stuff. I'm wondering what your plan for > >> > compatibility with alternate templating engines is. I'd really > >> > appreciate not having to come up with all sorts of alternate > >> > compilation paths for Rails code with XSS protection enabled - this > >> > would make the code much more brittle, and apt to break in odd Rails- > >> > specific ways that will be hard for users to understand and hard for > >> > me to track down. > >> > >> Your templating engine should continue to work 100% without any > >> errors. The 'escape-me' behaviour is limited to the erb template > >> handler (builder already does this obviously). > >> > >> If you *want* on by default escaping you'll just need to work with an > >> ActionView::SafeBuffer instead of a string. > >> > >> The only surprise you could get is if you use with_output_buffer and > >> *don't* pass it a buffer, in that case it'll now default to a safe > >> buffer. > >> > >> > - Nathan Weizenbaum > >> > > > >> > > >> > >> > >> > >> -- > >> Cheers > >> > >> Koz > >> > >> > > > > > > > > -- > > Yehuda Katz > > Developer | Engine Yard > > (ph) 718.877.1325 > > > > > > > > > > -- Carlos Henrique Júnior Milk-it Software House car...@milk-it.net (31) 8763-5606 / 3227-1009 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
