Why escape HTML in the view?

Hey,

I don’t understand why Rails seems to mandate escaping HTML in the view rather than when it’s inserted into the database. I cringe when I think about all those needlessly repeated function calls.

What’s the deal?

Ian Leitch wrote:

I don't understand why Rails seems to mandate escaping HTML in the view rather than when it's inserted into the database. I cringe when I think about all those needlessly repeated function calls.

To make sure that nothing in the database, whether it was inserted by
your application or not, will break your views.

-- Marcus

Of course, Rails opinion is that it is the only thing touching the
database. I'd say the reason you would want it in plain text in the
database by default is that you wouldn't necessarily always be
outputing HTML. If you never plan on needing anything other than the
HTML output, than by all means, store HTML in the database. However,
in most cases, doing so from the start would be a premature
optimization.

Jeremy

@Ian

I don’t believe that Rails mandates that you escape your characters. Only the default scaffolding does that. It’s a good idea to do it because it allows you to be flexible.

Of course, it would be a fun excercise to makes an acts_as_sanitized plugin that would sanitize the data coming in to the model. Should be pretty easy to do too… it might be a good excercise for someone wanting to write his or her first plugin.

I hadn’t taken into consideration media types other than HTML, and I do plan to output XML at some point.
I agree with Jeremy that it’s a premature optimization, I’ll reassess the issue in the future.

Thanks for pointing me in the right direction.

Ian Leitch wrote:

Hey,

I don't understand why Rails seems to mandate escaping HTML in the view
rather than when it's inserted into the database. I cringe when I think
about all those needlessly repeated function calls.

What's the deal?

Because HTML escaping is part of the process of presenting the information as HTML. There may be other ways of getting to the data, e.g. via a web service or in a CSV report.

regards

   Justin

Brian Hogan wrote:

Of course, it would be a fun excercise to makes an acts_as_sanitized plugin that would sanitize the data coming in to the model. Should be pretty easy to do too... it might be a good excercise for someone wanting to write his or her first plugin.

Here's one I prepared earlier:

http://groups.google.com/group/rubyonrails-core/msg/61913e7144507590

Because you're not storing HTML, you're storing text. HTML is one
possible (albeit likely) presentation format. Other people may want to
work with your data, though, outside of a web browser.

Store text, and run it through "h" when you need to show it in a
browser.

Michael