I think you can do that for the description field, but I don't know about the notes field because of the markup that is allowed in there...
Would be nice if there was some sort of whitelist (only allow certain tags) & tidy function (adds missing end tags) or something. Reinier Van: Jeff Gipson [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 24 juni 2008 16:56 Aan: Reinier Balt CC: [email protected] Onderwerp: Re: [Tracks-discuss] Tracks-discuss Digest, Vol 28, Issue 20 Reinier Balt wrote: How about the belt and suspenders approach? <%= h sanitize(todo.description) %> Is h not enough? If there is XSS stuff in the description, won't h just escape it so that the browser never executes it? Reinier I suppose that 'h' is enough... That's way I referred to it as a "belt-and-suspenders" approach. But I also wonder... If HTML will not be displayed in output, shouldn't we run the 'h' method on form data before the ActiveRecord#save method is run; and also should there be some validation being done to prevent saving of data with illegal character sequences? -- --------------------------- Jeffrey Gipson Process Networks Plus, Inc. --------------------------- Behold, the fool saith, "Put not all thine eggs in the one basket"--which is but a manner of saying, "Scatter your money and your attention;" but the wise man saith, "Put all your eggs in the one basket and--WATCH THAT BASKET." -- Mark Twain, "Pudd'nhead Wilson's Calendar"
_______________________________________________ Tracks-discuss mailing list [email protected] http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss
