Hi,
I've just finished reading "Beginning Ruby on Rails E-Commerce"... phew...
Sam,
I can't speak for the author but I've been under the impression that textilize alone wasn't considered secure. I've been given the impression that alone textilize doesn't clean text quite like sanitize does.
I suspect that a textilize and sanitize solution would be safe.
Textilize alone may be open to some javascript hacks. I'm not certain on this. Can anyone confirm or refute?
Carl
ssk wrote:
I've just finished reading "Beginning Ruby on Rails E-Commerce"... phew...
Caution: Although textilize is a cool quick-and-dirty helper, as a rule of thumb, it should never be used in a production setting.
Why? And what's the alternative?
Hi Sam,
The same page presents the alternative: do the textilization when the object is saved and save the textilized output in the database. That way you just output straight html and avoid using the textilize helper in the display phase.
Jarkko Laine wrote:
ssk wrote: > I've just finished reading "Beginning Ruby on Rails E-Commerce"... > phew... > > Caution: Although textilize is a cool quick-and-dirty helper, as a rule > of thumb, it should never be used in a production setting. > > Why? > And what's the alternative?
Hi Sam,
The same page presents the alternative: do the textilization when the object is saved and save the textilized output in the database. That way you just output straight html and avoid using the textilize helper in the display phase.
Hi Jarkko,
You're one of the authors of the book, right? Thank you very much for the answer. Now I know what the caution means. textilize methos in itself is ok. But it should be used when saving in DB not as a help in the view.
Regards, Sam
