rails security model defaults to non-escaped output

Is there a way to toggle the security model so all output is escaped by default, and passing <%=n (paragraph) %> when I do *not* want my output escaped? Having to add <%=h () %> currently to do it is cumbersome and prone to mistakes.

Anthony Ettinger wrote:

Is there a way to toggle the security model so all output is escaped by default, and passing <%=n (paragraph) %> when I do *not* want my output escaped? Having to add <%=h () %> currently to do it is cumbersome and prone to mistakes.

-- Anthony Ettinger 408-656-2473 http://anthony.ettinger.name

Think of it this way... if <%= ... %> always outputted escaped html... then what would happen with this code?

index.html.erb

But the question was if there was a way to modify the models, not erb. (which is what changes ruby to strings) And no, there isnt a rails way to do this you are asking, and unfortunately i dont know any plugins that do that. I have thought about it myself a few times and if it really bothers you id suggest writing a plugin for it. im sure it get much appreciation.

j

"Wolas!" wrote:

But the question was if there was a way to modify the models, not erb. (which is what changes ruby to strings) And no, there isnt a rails way to do this you are asking, and unfortunately i dont know any plugins that do that. I have thought about it myself a few times and if it really bothers you id suggest writing a plugin for it. im sure it get much appreciation.

j

On Jul 6, 10:14�pm, Matthew Rudy Jacobs <rails-mailing-l...@andreas-

no, that isn't what he asked. He asked about "the security model" in a generic sense.

namely he was asking about erb template escaping.

I imagine if you wanted to escape html on the model level,

you'd just want to do the following.

class Post   def content(escape=true)     if escape       helper.send(:h, self[:content])     else       self[:content]     end   end end

that worked in rails1.1.6 dont know if it still works.

================= <html> <body> <%= render :partial => "content" %> </body> </html>

Or indeed <%= link_to ...%>, <%= text_field ... %> With the current setup it's going to be very hard to get this right.

Fred