Rails - Jul 2008 - rails security model defaults to non-escaped output

Is there a way to toggle the security model so all output is escaped
by default, and passing <%=n (paragraph) %> when I do *not* want my
output escaped?
Having to add <%=h () %> currently to do it is cumbersome and prone to
mistakes.

-- 
Anthony Ettinger
408-656-2473
http://anthony.ettinger.name

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Anthony Ettinger wrote:
> Is there a way to toggle the security model so all output is escaped
> by default, and passing <%=n (paragraph) %> when I do *not* want my
> output escaped?
> Having to add <%=h () %> currently to do it is cumbersome and prone
to
> mistakes.
> 
> --
> Anthony Ettinger
> 408-656-2473
> http://anthony.ettinger.name
Think of it this way...
if <%= ... %> always outputted escaped html... then what would happen 
with this code?


index.html.erb
================<html>
<body>
<%= render :partial => "content" %>
</body>
</html>
================
_content.html.erb
================<p><strong>some content</strong></p>
================
output
================<html>
<body>
&lt;p&gt;&lt;strong&gt;some
content&lt;/strong&gt;&lt;/p&gt;
</body>
</html>
================
oh yeah...
that''d be a bit rubbish.

hope that helps.

http://workingwithrails.com/person/12394-matthew-rudy-jacobs
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

But the question was if there was a way to modify the models, not erb.
(which is what changes ruby to strings) And no, there isnt a rails way
to do this you are asking, and unfortunately i dont know any plugins
that do that. I have thought about it myself a few times and if it
really bothers you id suggest writing a plugin for it. im sure it get
much appreciation.

j


On Jul 6, 10:14 pm, Matthew Rudy Jacobs <rails-mailing-l...@andreas-
s.net> wrote:
> Anthony Ettinger wrote:
> > Is there a way to toggle the security model so all output is escaped
> > by default, and passing <%=n (paragraph) %> when I do *not* want
my
> > output escaped?
> > Having to add <%=h () %> currently to do it is cumbersome and
prone to
> > mistakes.
>
> > --
> > Anthony Ettinger
> > 408-656-2473
> >http://anthony.ettinger.name
>
> Think of it this way...
> if <%= ... %> always outputted escaped html... then what would happen
> with this code?
>
> index.html.erb
> ================> <html>
> <body>
> <%= render :partial => "content" %>
> </body>
> </html>
> ================>
> _content.html.erb
> ================> <p><strong>some
content</strong></p>
> ================>
> output
> ================> <html>
> <body>
> &lt;p&gt;&lt;strong&gt;some
content&lt;/strong&gt;&lt;/p&gt;
> </body>
> </html>
> ================>
> oh yeah...
> that''d be a bit rubbish.
>
> hope that helps.
>
> http://workingwithrails.com/person/12394-matthew-rudy-jacobs
> --
> Posted viahttp://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

"Wolas!" wrote:
> But the question was if there was a way to modify the models, not erb.
> (which is what changes ruby to strings) And no, there isnt a rails way
> to do this you are asking, and unfortunately i dont know any plugins
> that do that. I have thought about it myself a few times and if it
> really bothers you id suggest writing a plugin for it. im sure it get
> much appreciation.
> 
> j
> 
> 
> On Jul 6, 10:14�pm, Matthew Rudy Jacobs <rails-mailing-l...@andreas-
no, that isn''t what he asked.
He asked about "the security model" in a generic sense.

namely he was asking about erb template escaping.

I imagine if you wanted to escape html on the model level,

you''d just want to do the following.

class Post
  def content(escape=true)
    if escape
      helper.send(:h, self[:content])
    else
      self[:content]
    end
  end
end

that worked in rails1.1.6
dont know if it still works.

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

> ================> <html>
> <body>
> <%= render :partial => "content" %>
> </body>
> </html>
> ================
Or indeed <%= link_to  ...%>, <%= text_field ... %>
With the current setup it''s going to be very hard to get this right.

Fred





>
> _content.html.erb
> ================> <p><strong>some
content</strong></p>
> ================>
> output
> ================> <html>
> <body>
> &lt;p&gt;&lt;strong&gt;some
content&lt;/strong&gt;&lt;/p&gt;
> </body>
> </html>
> ================>
> oh yeah...
> that''d be a bit rubbish.
>
> hope that helps.
>
> http://workingwithrails.com/person/12394-matthew-rudy-jacobs
> --
> Posted viahttp://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---