Skip to content


Subversion checkout URL

You can clone with
Download ZIP
The original Safe ERB project pulled in from RubyForge
Pull request Compare This branch is 5 commits behind abedra:master.
Fetching latest commit...
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Safe ERB


Safe ERB lets you make sure that the string written by “<%= %>” in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using “h” method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application.

The check is done using “tainted?” method in Object class which is a standard feature provided by Ruby - the string is “tainted” when it is read from IO. When ERB::Util#h method is called, this plugin “untaints” the string, and when “<%= %>” is called in your rhtml template, it raises an exception if the string you are trying to show is tainted.


You can grab Safe ERB from github and put it in vendor/plugins, or just run

script/plugin install git://

Safe ERB works on Rails 2.0.x, 2.1.x, 2.2.x, and 2.3.x. It has been tested using following database libraries:

  • PostgreSQL (postgres-0.7.1 gem)

  • MySQL (mysql-2.7 gem)

It does NOT work properly on SQLite (because the data read from SQLite driver is not tainted).


The string becomes tainted when it is read from IO, such as the data read from the DB or HTTP request. However, the request parameters are not tainted in functional and integration tests, and also if your server is Mongrel. Hence this plugin installs before_filter into ActionController::Base that always taints request parameters and cookies.

The returned values from the following methods become untainted:

  • ERB::Util#h

  • ActionView::Helpers::TagHelper#escape

  • ActionView::Helpers::TextHelper#strip_tags

Also, you can always untaint any string manually by calling “untaint” method (standard Ruby feature).


Aaron Bedra <aaron at>

Shinya Kasatani <kasatani at>

Something went wrong with that request. Please try again.