rails security model defaults to non-escaped output

Is there a way to toggle the security model so all output is escaped
by default, and passing <%=n (paragraph) %> when I do *not* want my
output escaped?
Having to add <%=h () %> currently to do it is cumbersome and prone to mistakes.

Anthony Ettinger wrote:

Is there a way to toggle the security model so all output is escaped
by default, and passing <%=n (paragraph) %> when I do *not* want my
output escaped?
Having to add <%=h () %> currently to do it is cumbersome and prone to
mistakes.

--
Anthony Ettinger
408-656-2473
http://anthony.ettinger.name

Think of it this way...
if <%= ... %> always outputted escaped html... then what would happen
with this code?

index.html.erb

But the question was if there was a way to modify the models, not erb.
(which is what changes ruby to strings) And no, there isnt a rails way
to do this you are asking, and unfortunately i dont know any plugins
that do that. I have thought about it myself a few times and if it
really bothers you id suggest writing a plugin for it. im sure it get
much appreciation.

j

"Wolas!" wrote:

But the question was if there was a way to modify the models, not erb.
(which is what changes ruby to strings) And no, there isnt a rails way
to do this you are asking, and unfortunately i dont know any plugins
that do that. I have thought about it myself a few times and if it
really bothers you id suggest writing a plugin for it. im sure it get
much appreciation.

j

On Jul 6, 10:14�pm, Matthew Rudy Jacobs <rails-mailing-l...@andreas-

no, that isn't what he asked.
He asked about "the security model" in a generic sense.

namely he was asking about erb template escaping.

I imagine if you wanted to escape html on the model level,

you'd just want to do the following.

class Post
  def content(escape=true)
    if escape
      helper.send(:h, self[:content])
    else
      self[:content]
    end
  end
end

that worked in rails1.1.6
dont know if it still works.

=================
<html>
<body>
<%= render :partial => "content" %>
</body>
</html>

Or indeed <%= link_to ...%>, <%= text_field ... %>
With the current setup it's going to be very hard to get this right.

Fred