Le 4 févr. 2015 à 12:00, Magne <[email protected]> a écrit : > I ran into a situation with .html_safe when communicating with a fellow > programmer, and discovered that the method name isn't as clear as desired. > > .html_safe does not mean "please make this html safe", it's the opposite - it > is you the programmer telling rails that "this string is html safe, promise!" > > This can be confused by programmers, and hence be a potential security risk. > A programmer should be able to read the name of a method and unambiguously be > able to predict what it does, precisely.
Every Rails developer, even beginners should be aware of #html_safe and how it works since Rails escapes all strings by default. If the developer wants to use #html_safe then there are two possibility: - he do wants to mark the string as safe so he searched how to do it and found #html_safe. Everything is OK. - he saw #html_safe somewhere, didn’t even try to see if strings are already escaped or not, didn’t even read the API doc for #html_safe. He was just like « Ok I’m going to put this everywhere to secure my code ! » This second developer is dumb… Sorry. It means he didn’t even read any doc or the Rails guide. Don’t let him touch your code until he knows some basis! I think even a beginner should be aware that Rails escapes strings for you. If he isn’t aware of that he needs some training or at least to have some read. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
