I really like the idea of acts_as_secure/unescaped, especially with the
method missing catch as you have mentioned.
<%= model.name_raw %> or <%= model.name %>
Raw is simply a naming preference for me, as name would be the processed
version (secured).
The discussions so far have shown two very s
I haven't personally suffered the agony of magic quotes, but the problem
seems to have been that it didn't unescape well and that it would break
methods that were not expecting escaped text.
My contention is that those methods were already broken because they
were unsecure and/or couldn't ha
I'm trying to figure out what I might be missing in the Sybase
connection adapter (http://dev.rubyonrails.org/ticket/3765) that's
flunking some of the polymorphic unit tests in
associations_join_model_test.rb. Specifically, these four tests are
failing:
test_polymorphic_has_many_create
Hi.
I've submited a patch (http://dev.rubyonrails.org/ticket/3837) and
since it's my first attempt on extending rails I'd like you to review
it.
I'm wondering if my proceedings where "the right way" to do it or
should I do something else.
Thank you,
Diego
To be honest, it took me up until about a few weeks ago to come
across a
posting from someone in the Rails community why <%=h is needed to
secure the
output of the user input. I have been developing with rails for
some time
now, and I know a few things about XSS, yet still, while I was
shif
On 2/15/06, Nathaniel S. H. Brown <[EMAIL PROTECTED]> wrote:
> I really like the idea of acts_as_secure/unescaped, especially with the
> method missing catch as you have mentioned.
This is a bad idea. It assumes data from ActiveRecord models only
ever displayed on the web. This ignores email tem
On Wednesday, February 15, 2006, at 2:50 PM, Tom Ward wrote:
>This is a bad idea. It assumes data from ActiveRecord models only
>ever displayed on the web. This ignores email templates, logging, etc
>from within web apps, not to mention applications using ActiveRecord
>outside the web.
The idea
On 15 Feb 2006 15:39:25 -, Kevin Olbrich
<[EMAIL PROTECTED]> wrote:
>
> On Wednesday, February 15, 2006, at 2:50 PM, Tom Ward wrote:
> >This is a bad idea. It assumes data from ActiveRecord models only
> >ever displayed on the web. This ignores email templates, logging, etc
> >from within web
I think the time has come for less talk and more code. Make a plugin
that implements this. Use it for a month. If you still like it and
find the trade-offs to be reasonable, ask other people to give it a
swing. Once there's a critical mass of acceptance, let's discuss how
we can use those learnings
Yeah, I'm fiddling with this now.
Turns out to be a bit tricker than I thought, but should be doable.
_Kevin
On Wednesday, February 15, 2006, at 12:31 PM, David Heinemeier Hansson wrote:
>I think the time has come for less talk and more code. Make a plugin
>that implements this. Use it for a mont
10 matches
Mail list logo
