>>>
>> safe_erb is a nice idea, but it still means you have to untaint each
>> time you do a sanity check like
>> return parser_error("invalid name #{name.inspect}") unless name =~ /
>> ^[a-zA-Z_]$/
>> name.untaint # <<< line to add
>>
>
> Yes nothing is free.
>
>> ...
>>
>> You cannot remove these lines (with some kind of conditional
>> compilation)
>
> Compilation ?
>
> What you do is simply redefine your sanitizing method (that you should
> already have by the way) to untaint in dev mode, no more no less.
> safe_erb does it for html_escape, escape_once and strip_tags for
> example.
> In production there's zero impact : you original sanitizing methods
> run
> unmodified and you don't even have to put safe_erb in vendor/plugins
> there.
>
> This is how it works for us.
Ok, you solved the "conditional compilation" problem by wrapping all
cleanup code in some generic methods that you redefine. It makes sense.
Thanks.
Gaspard
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
