Why escape HTML in the view?

Ian_Leitch · September 21, 2006, 2:54pm

Hey,

I don’t understand why Rails seems to mandate escaping HTML in the view rather than when it’s inserted into the database. I cringe when I think about all those needlessly repeated function calls.

What’s the deal?

Marcus_Brito · September 21, 2006, 4:43pm

Ian Leitch wrote:

I don't understand why Rails seems to mandate escaping HTML in the view rather than when it's inserted into the database. I cringe when I think about all those needlessly repeated function calls.

To make sure that nothing in the database, whether it was inserted by your application or not, will break your views.

-- Marcus

Jeremy_Evans · September 21, 2006, 5:29pm

Of course, Rails opinion is that it is the only thing touching the database. I'd say the reason you would want it in plain text in the database by default is that you wouldn't necessarily always be outputing HTML. If you never plan on needing anything other than the HTML output, than by all means, store HTML in the database. However, in most cases, doing so from the start would be a premature optimization.

Jeremy

bphogan · September 22, 2006, 12:32pm

@Ian

I don’t believe that Rails mandates that you escape your characters. Only the default scaffolding does that. It’s a good idea to do it because it allows you to be flexible.

Of course, it would be a fun excercise to makes an acts_as_sanitized plugin that would sanitize the data coming in to the model. Should be pretty easy to do too… it might be a good excercise for someone wanting to write his or her first plugin.

Ian_Leitch · September 22, 2006, 1:21pm

I hadn’t taken into consideration media types other than HTML, and I do plan to output XML at some point. I agree with Jeremy that it’s a premature optimization, I’ll reassess the issue in the future.

Thanks for pointing me in the right direction.

Justin_Forder1 · September 22, 2006, 1:25pm

Ian Leitch wrote:

Hey,

I don't understand why Rails seems to mandate escaping HTML in the view rather than when it's inserted into the database. I cringe when I think about all those needlessly repeated function calls.

What's the deal?

Because HTML escaping is part of the process of presenting the information as HTML. There may be other ways of getting to the data, e.g. via a web service or in a CSV report.

regards

Justin

Mark_James · September 22, 2006, 2:59pm

Brian Hogan wrote:

Of course, it would be a fun excercise to makes an acts_as_sanitized plugin that would sanitize the data coming in to the model. Should be pretty easy to do too... it might be a good excercise for someone wanting to write his or her first plugin.

Here's one I prepared earlier:

http://groups.google.com/group/rubyonrails-core/msg/61913e7144507590

Michael_Chaney · September 22, 2006, 3:18pm

Because you're not storing HTML, you're storing text. HTML is one possible (albeit likely) presentation format. Other people may want to work with your data, though, outside of a web browser.

Store text, and run it through "h" when you need to show it in a browser.

Michael

Topic		Replies	Views
Storing URL in database -- h() or sanitize() ? rubyonrails-talk	2	95	February 15, 2008
Escaping Data to Prevent XSS When It Gets Stored rubyonrails-talk	0	117	July 23, 2007
Securing the views rubyonrails-talk	3	111	November 10, 2008
Escaping characters in controller rubyonrails-talk	5	187	November 22, 2006
xss rubyonrails-talk	6	139	March 17, 2010

Why escape HTML in the view?

Related topics

More Resources