Security.html - Safe ERB and Rails 3

Securing Rails Applications — Ruby on Rails Guides says, in Section 5 and in 8.3.2, that the Safe ERB plugin is recommended. This is an old (3 years plus) unrevised plugin that was probably very useful in Rails 1 and 2, but the main purpose seems to have been superseded by default in Rails 3 with default html_safe-ing of output.

So is this recommendation still a useful recommendation, or is it of historic value only?

Section 5:

Refer to the Injection section for countermeasures against XSS. It is recommended to use the SafeErb plugin also in an Intranet or administration interface.

Section 8.3.2.3:

As a second step, it is good practice to escape all output of the application, especially when re-displaying user input, which hasn’t been input-filtered (as in the search form example earlier on). Use escapeHTML() (or its alias h()) method to replace the HTML input characters &, ", <, > by their uninterpreted representations in HTML (&amp;, &quot;, &lt;, and &gt;). However, it can easily happen that the programmer forgets to use it, so it is recommended to use the SafeErb plugin. SafeErb reminds you to escape strings from external sources.

Cheers, JeremyC.

Yes, these remarks should be revised.