I agree; it has never made sense to me to have to sanitize the output. Escaping everything as you display it does have the benefit of allowing you to see what information is in the DB. Also you can change which tags are allowed after the fact by using sanitize() instead of h()
The downside is that you have to escape it every time you display the page. Granted this isn't a heavy operation, but it does happen repeatedly. It seems to me that if you are always going to have to use h() anyway, things should just be sanitized before insertion into the DB and forgo the h(). Just my opinion. I still use h() and sanitize() -- Jeremy Chase http://twitter.com/jeremychase On Tue, Mar 16, 2010 at 12:10 AM, Tom Mac <[email protected]> wrote: > Hi > No comments yet! > > Tom > > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<rubyonrails-talk%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
