Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Oct 7, 2009
  1. @NZKoz

    Switch to on-by-default XSS escaping for rails.

    NZKoz committed
      This consists of:
      * String#html_safe! a method to mark a string as 'safe'
      * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
      * Calls to String#html_safe! throughout the rails helpers
      * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
      * New ERB implementation based on erubis which uses a SafeBuffer instead of a String
    Hat tip to Django for the inspiration.
Commits on Jul 11, 2008
  1. @NZKoz


    NZKoz committed
Something went wrong with that request. Please try again.