What's wrong with textilize?

Hi,

I've just finished reading "Beginning Ruby on Rails E-Commerce"...
phew...

Sam,

I can't speak for the author but I've been under the impression that
textilize alone wasn't considered secure. I've been given the
impression that alone textilize doesn't clean text quite like sanitize
does.

I suspect that a textilize and sanitize solution would be safe.

Textilize alone may be open to some javascript hacks. I'm not certain
on this. Can anyone confirm or refute?

Carl

ssk wrote:

I've just finished reading "Beginning Ruby on Rails E-Commerce"...
phew...

Caution: Although textilize is a cool quick-and-dirty helper, as a rule
of thumb, it should never be used in a production setting.

Why?
And what's the alternative?

Hi Sam,

The same page presents the alternative: do the textilization when the
object is saved and save the textilized output in the database. That
way you just output straight html and avoid using the textilize helper
in the display phase.

Jarkko Laine wrote:

ssk wrote:
> I've just finished reading "Beginning Ruby on Rails E-Commerce"...
> phew...
>
> Caution: Although textilize is a cool quick-and-dirty helper, as a rule
> of thumb, it should never be used in a production setting.
>
> Why?
> And what's the alternative?

Hi Sam,

The same page presents the alternative: do the textilization when the
object is saved and save the textilized output in the database. That
way you just output straight html and avoid using the textilize helper
in the display phase.

Hi Jarkko,

You're one of the authors of the book, right?
Thank you very much for the answer.
Now I know what the caution means.
textilize methos in itself is ok.
But it should be used when saving in DB not as a help in the view.

Regards,
Sam