Hey, I don''t understand why Rails seems to mandate escaping HTML in the view rather than when it''s inserted into the database. I cringe when I think about all those needlessly repeated function calls. What''s the deal? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Why don''t just escape it when it is inserted then? Overload the accessor to process the strings in the model. -carl On 9/21/06, Ian Leitch <port001-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hey, > > I don''t understand why Rails seems to mandate escaping HTML in the view > rather than when it''s inserted into the database. I cringe when I think > about all those needlessly repeated function calls. > > What''s the deal? > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Ian Leitch wrote:> I don''t understand why Rails seems to mandate escaping HTML in the view > rather than when it''s inserted into the database. I cringe when I think > about all those needlessly repeated function calls.To make sure that nothing in the database, whether it was inserted by your application or not, will break your views. -- Marcus --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 9/21/06, Marcus Brito <mbrito-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > I don''t understand why Rails seems to mandate escaping HTML in the view > > rather than when it''s inserted into the database. I cringe when I think > > about all those needlessly repeated function calls. > > To make sure that nothing in the database, whether it was inserted by > your application or not, will break your views.Of course, Rails opinion is that it is the only thing touching the database. I''d say the reason you would want it in plain text in the database by default is that you wouldn''t necessarily always be outputing HTML. If you never plan on needing anything other than the HTML output, than by all means, store HTML in the database. However, in most cases, doing so from the start would be a premature optimization. Jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
@Ian I don''t believe that Rails *mandates* that you escape your characters. Only the default scaffolding does that. It''s a good idea to do it because it allows you to be flexible. Of course, it would be a fun excercise to makes an acts_as_sanitized plugin that would sanitize the data coming in to the model. Should be pretty easy to do too... it might be a good excercise for someone wanting to write his or her first plugin. On 9/21/06, Ian Leitch <port001-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Hey, > > I don''t understand why Rails seems to mandate escaping HTML in the view > rather than when it''s inserted into the database. I cringe when I think > about all those needlessly repeated function calls. > > What''s the deal? > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
I hadn''t taken into consideration media types other than HTML, and I do plan to output XML at some point. I agree with Jeremy that it''s a premature optimization, I''ll reassess the issue in the future. Thanks for pointing me in the right direction. On 22/09/06, Brian Hogan <bphogan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > @Ian > > I don''t believe that Rails *mandates* that you escape your characters. > Only the default scaffolding does that. It''s a good idea to do it because it > allows you to be flexible. > > Of course, it would be a fun excercise to makes an acts_as_sanitized > plugin that would sanitize the data coming in to the model. Should be pretty > easy to do too... it might be a good excercise for someone wanting to write > his or her first plugin. > > On 9/21/06, Ian Leitch <port001-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > Hey, > > > > I don''t understand why Rails seems to mandate escaping HTML in the view > > rather than when it''s inserted into the database. I cringe when I think > > about all those needlessly repeated function calls. > > > > What''s the deal? > > > > > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Ian Leitch wrote:> Hey, > > I don''t understand why Rails seems to mandate escaping HTML in the view > rather than when it''s inserted into the database. I cringe when I think > about all those needlessly repeated function calls. > > What''s the deal?Because HTML escaping is part of the process of presenting the information as HTML. There may be other ways of getting to the data, e.g. via a web service or in a CSV report. regards Justin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Brian Hogan wrote:> Of course, it would be a fun excercise to makes an acts_as_sanitized > plugin that would sanitize the data coming in to the model. Should be > pretty easy to do too... it might be a good excercise for someone > wanting to write his or her first plugin.Here''s one I prepared earlier: http://groups.google.com/group/rubyonrails-core/msg/61913e7144507590 -- We develop, watch us RoR, in numbers too big to ignore. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On Thu, Sep 21, 2006 at 03:54:13PM +0100, Ian Leitch wrote:> Hey, > > I don''t understand why Rails seems to mandate escaping HTML in the view > rather than when it''s inserted into the database. I cringe when I think > about all those needlessly repeated function calls. > > What''s the deal?Because you''re not storing HTML, you''re storing text. HTML is one possible (albeit likely) presentation format. Other people may want to work with your data, though, outside of a web browser. Store text, and run it through "h" when you need to show it in a browser. Michael -- Michael Darrin Chaney mdchaney-c1nKWHh82D8TjS1aD1bK6AC/G2K4zDHf@public.gmane.org http://www.michaelchaney.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---