rails/raw_output_helper.rb at 5c53ffe1dbb3ece45ed58ed5b005e9c104f61842 - rails - Gitea Demo

THIS IS A TEST INSTANCE ONLY! REPOSITORIES CAN BE DELETED AT ANY TIME!

TEST_CODEOWNERS/rails

Michael Koziarski 9415935902 Switch to on-by-default XSS escaping for rails.

This consists of:

  * String#html_safe! a method to mark a string as 'safe'
  * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
  * Calls to String#html_safe! throughout the rails helpers
  * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
  * New ERB implementation based on erubis which uses a SafeBuffer instead of a String

Hat tip to Django for the inspiration.

2009-10-08 09:31:20 +13:00

9 lines

166 B

Ruby

Raw Blame History

 module ActionView #:nodoc:
   module Helpers #:nodoc:
     module RawOutputHelper
       def raw(stringish)
         stringish.to_s.html_safe!
       end
     end
   end
 end