on
Rails 2.3 XSS Plugin
This is not new to those closely watching updates regarding Rails development: for Rails 3 applications, there is no need to use the h() function to escape html for security reasons.
<%= h @something %>
is now the same as
<%= @something %>
To display the HTML, use:
<%= @something.html_safe %>
To have this feature for Rails 2.3.x applications, there is a need to install the Rails XSS plugin.
Some installation notes:
Install rails 2.3.5 or higher, or freeze rails from 2-3-stable.
gem install rails
Install erubis
gem install erubis
Install this plugin
script/plugin install git://github.com/NZKoz/rails_xss.git
I you are using exception notification plugin for production (which, by the way, you should), this fork of the original plugin might help you avoid any weird issues related to the XSS plugin and Rails 2.3.5:
http://github.com/jeremyevans/exception_notification
script/plugin install git://github.com/jeremyevans/exception_notification.git
By the way, what does the h() stand for?
Thanks to Jesse for informing me, h stands for html_escape
(because that’s just what it does).
Update:
HAML escape html option
Reading on this post, it seems that it’s a much better option for me right now.
gem install haml (current version today is 2.2.7)
and add:
Haml::Template.options[:escape_html]=true
below the Rails config on environment.rb