Note that Rails has also changed to escaping by default:
http://weblog.rubyonrails.org/2009/10/12/what-s-new-in-edge-rails
On Fri, Dec 4, 2009 at 4:02 PM, Roger Binns <rogerb@rogerbinns.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> http://github.com/yssk22/crayon
>>
>> This library enables you to write as followings:
>>
>> <%= h(var) %>
>> <%= text_field(doc, "path-to-field") %>
>
> embeddedjs includes a views.js file that adds something similar.
>
> My concern about escaping is over simple values. For example if someone
> specifies something like this in a template.
>
> <%= title %>
>
> If the value is not HTML escaped by default then it is a potential source of
> XSS attacks. In the vast majority of cases values should be HTML escaped.
> A separate mechanism can then be used to stop escaping (for example Mustache
> uses different tags and the Python Genshi templating system wraps the value
> in a different class).
>
> Roger
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAksZhv4ACgkQmOOfHg372QSUVgCeNqUJn02nvDkmDElF0z6dOwix
> kaUAoI1C3us4P07CuBAy//OLa/pmI4pt
> =72DE
> -----END PGP SIGNATURE-----
>
|