On Sun, Apr 4, 2010 at 4:51 AM, [email protected] <[email protected]> wrote: > Hi, > > Using Rails 3 (git master) and Ruby 1.9.2-head I noticed I have to > treat EVERY SINGLE STRING in my app, even things like > > link_to " bla", path > > with raw(). This is crazy! It is a FIXED string! I understand it when > variables are concerned, but this is taking it a little too far. One > might even say the escaping only is necessary if STRING variables are > introduced, so including number-variables in a(n otherwise fixed) > string should not trigger the need to use raw(). > > I only just started but the amount of "raw()" I have to insert into my > app seems excessive.
Making the switch to HTML-safety is quite a pain. The grass is greener on the other side, though! You mark just a handful of strings as <%= raw ... %> instead of almost every string as <%= h ... %> -- less work down the line, plus no lingering XSS worries. jeremy -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
