[Rails] Re: rails3 xss escaping

Ruby on Rails Monday, August 30, 2010

Marcelo Barbudas wrote:
> Hi.
>
> Is there a way to disable the default xss escaping of everything in
> rails3?

I don't know of a way to disable it entirely, that's sort of the point.
Safe by default.

When you want to bypass the escaping you can use to use the 'raw'
method:

<%= raw my_unsafe_string %>

Think of this as the opposite of the old 'h' method.

> What's the proper way of doing string concatenations like below with
> rails3 if xss escaping can not be disabled:
> "something #{link_to('something else') if value == true}"

In helpers it's also possible to mark the string as html_safe:

"something #{link_to('something else') if value == true}".html_safe

Read this as, "I'm telling you that this is safe so don't escape it."
--
Posted via http://www.ruby-forum.com/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Posted by Ruby on Rails at 11:45 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)