Reinier Balt wrote:
I suppose that 'h' is enough... That's way I referred to it as a "belt-and-suspenders" approach.How about the belt and suspenders approach? <%= h sanitize(todo.description) %>Is h not enough? If there is XSS stuff in the description, won't h just escape it so that the browser never executes it?Reinier
But I also wonder... If HTML will not be displayed in output, shouldn't we run the 'h' method on form data before the ActiveRecord#save method is run; and also should there be some validation being done to prevent saving of data with illegal character sequences?
--
---------------------------
Jeffrey Gipson
Process Networks Plus, Inc.
---------------------------
Behold, the fool saith, "Put not all thine eggs in the one basket"--which is
but a manner of saying, "Scatter your money and your attention;" but the wise
man saith, "Put all your eggs in the one basket and--WATCH THAT BASKET."
-- Mark Twain, "Pudd'nhead Wilson's Calendar"
begin:vcard fn:Jeffrey Gipson n:Gipson;Jeffrey org:Process Networks Plus, Inc.;Engineering adr:;;905 Old Bagdad Road;Leander;TX;78641;USA email;internet:[EMAIL PROTECTED] title:Application Engineer tel;work:512 260 1699 x307 tel;fax:512 260 3190 x-mozilla-html:FALSE url:www.pnplus.com version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Tracks-discuss mailing list [email protected] http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss
