15 Mar
2010
15 Mar
'10
18:42
On Monday 15 March 2010 19:29:39 Ladislav Slezak wrote:
(Solution: use h() helper in views for escaping all user entered values or values read from a potentially unsafe source (which is almost everything), see http://api.rubyonrails.org/classes/ERB/Util.html#M000315)
You could also use the RailsXss plugin, which escapes all unsafe strings by
default. This will also be the default behavior in Rails 3. As it errs on the
side of safeness I think it's the favorable approach compared to manually
escaping.
--
Cornelius Schumacher