On Monday 15 March 2010 19:29:39 Ladislav Slezak wrote: > > (Solution: use h() helper in views for escaping all user entered values > or values read from a potentially unsafe source (which is almost > everything), see http://api.rubyonrails.org/classes/ERB/Util.html#M000315)
You could also use the RailsXss plugin, which escapes all unsafe strings by default. This will also be the default behavior in Rails 3. As it errs on the side of safeness I think it's the favorable approach compared to manually escaping. -- Cornelius Schumacher <[email protected]> -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
