On Wed, Feb 4, 2015 at 12:00 PM, Magne <[email protected]> wrote:
> Hi,
>
> I ran into a situation with .html_safe when communicating with a fellow
> programmer, and discovered that the method name isn't as clear as desired.
>
> .html_safe does not mean "please make this html safe", it's the opposite
> - it is you the programmer telling rails that "this string is html safe,
> promise!"
>
> This can be confused by programmers, and hence be a potential security
> risk. A programmer should be able to read the name of a method and
> unambiguously be able to predict what it does, precisely.
>
> Renaming it to: .prevent_html_escaping would make it unambiguous, and
> directly refer to what is actually being done (so that the programmer
> doesn't have to infer what "safe" means, precisely).
>
Agreed.
> Another potential name could be something like: .render_html
>
This communicates much less what the intent is. render is extremely
ambiguous.
> Maybe .unescape_html is the best name for it. It states what you *do*
> with the string, and not what state it should be in afterwards ("this html
> is safe").
>
To me, this would imply that existing escaping would be removed from the
string. My understanding is that html_safe flags the string to be exempt
from a later escaping process. If you call it on a string where html-unsafe
characters have already been escaped by any means, that string remains
unchanged. Unless I'm wrong on that, unescape is ambiguous to me in this
context.
prevent_html_escaping seems the best of your suggestions.
Rainer
> Magne
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at http://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
