Simon Willison’s Weblog

Why the h can't Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes.

Posted 1st December 2007 at 8:34 pm

Recent articles

Vibe engineering - 7th October 2025
OpenAI DevDay 2025 live blog - 6th October 2025
Embracing the parallel coding agent lifestyle - 5th October 2025

autoescaping 4 django 577 rails 72 security 551 xss 60

Monthly briefing

Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments.

Pay me to send you less!

Sponsor & subscribe