Rails 2.3 XSS Plugin

This is not new to those closely watching updates regarding Rails development: for Rails 3 applications, there is no need to use the h() function to escape html for security reasons.

<%= h @something %>
is now the same as
<%= @something %>
To display the HTML, use:
<%= @something.html_safe %>

To have this feature for Rails 2.3.x applications, there is a need to install the Rails XSS plugin.

Some installation notes:

Install rails 2.3.5 or higher, or freeze rails from 2-3-stable.

gem install rails 

Install erubis

gem install erubis

Install this plugin

script/plugin install git://github.com/NZKoz/rails_xss.git

I you are using exception notification plugin for production (which, by the way, you should), this fork of the original plugin might help you avoid any weird issues related to the XSS plugin and Rails 2.3.5:

http://github.com/jeremyevans/exception_notification

script/plugin install git://github.com/jeremyevans/exception_notification.git

By the way, what does the h() stand for?

Thanks to Jesse for informing me, h stands for html_escape (because that’s just what it does).

Update:

HAML escape html option

Reading on this post, it seems that it’s a much better option for me right now.

gem install haml (current version today is 2.2.7)

and add: 
Haml::Template.options[:escape_html]=true
below the Rails config on environment.rb