I’m fiddling about with a rails3 app after reading Yehuda’s 3.0 Announcement. One of the things that he talks about is Rails’ new paranoid XSS protection scheme.
I wasn’t able to find much about this, except This Slideshare which happens to be in German.
Here’s what I can grok:
- Strings are now either safe or not.
- Rails <%= foo %> escapes all non-safe strings
- You can inquire about a string’s safety through the html_safe? method
- You can mark a string as safe through the html_safe! method
- You can intentionally display an unsafe, unescaped string in the view (if you’re damn sure) through the ‘raw’ function. (<%= raw foo %>)
Fragen?