I'm just getting started with RoR (and web development in general).
I know that when outputting user-supplied data we should escape it with the h() helper.
Is there a way to ensure that all form data (params?) received by an action is guaranteed to be escaped automatically? (I do understand that it's a wise decision to escape HTML when displaying in a view, which I will be doing in any case ).
views:
114answers:
1
+2
A:
don't know if this is the answer you were looking for, but you can do this by upgrading your app to rails3 - quoting Ryan Bates "In Rails 3, however, output is escaped automatically so there’s no need to put the h method" - read the asciicast or watch the railscast :)
stephenmurdoch
2010-09-15 06:24:03
Thanks, that's great news on the "output" front, but I was wondering if it was possible to do the escaping such that even the action would only get HTML-escaped text? (Would love to use Rails 3.0 but there seems to be problems with mysql2 gem that doesn't work with it :( )
Zabba
2010-09-15 06:34:07
Seems like there is a plug for this (for RoR 2.3.7+, I believe) called rails_xss. Thanks for your inputs!
Zabba
2010-09-17 05:31:24