Is there a way to toggle the security model so all output is escaped by default, and passing <%=n (paragraph) %> when I do *not* want my output escaped? Having to add <%=h () %> currently to do it is cumbersome and prone to mistakes.
Anthony Ettinger wrote:
Is there a way to toggle the security model so all output is escaped by default, and passing <%=n (paragraph) %> when I do *not* want my output escaped? Having to add <%=h () %> currently to do it is cumbersome and prone to mistakes.
-- Anthony Ettinger 408-656-2473 http://anthony.ettinger.name
Think of it this way... if <%= ... %> always outputted escaped html... then what would happen with this code?
index.html.erb
But the question was if there was a way to modify the models, not erb. (which is what changes ruby to strings) And no, there isnt a rails way to do this you are asking, and unfortunately i dont know any plugins that do that. I have thought about it myself a few times and if it really bothers you id suggest writing a plugin for it. im sure it get much appreciation.
j
"Wolas!" wrote:
But the question was if there was a way to modify the models, not erb. (which is what changes ruby to strings) And no, there isnt a rails way to do this you are asking, and unfortunately i dont know any plugins that do that. I have thought about it myself a few times and if it really bothers you id suggest writing a plugin for it. im sure it get much appreciation.
j
On Jul 6, 10:14�pm, Matthew Rudy Jacobs <rails-mailing-l...@andreas-
no, that isn't what he asked. He asked about "the security model" in a generic sense.
namely he was asking about erb template escaping.
I imagine if you wanted to escape html on the model level,
you'd just want to do the following.
class Post def content(escape=true) if escape helper.send(:h, self[:content]) else self[:content] end end end
that worked in rails1.1.6 dont know if it still works.
================= <html> <body> <%= render :partial => "content" %> </body> </html>
Or indeed <%= link_to ...%>, <%= text_field ... %> With the current setup it's going to be very hard to get this right.
Fred