Simon Willison’s Weblog

Blogmarks tagged xss, security, rails in 2007

Filters: Type: blogmark × Year: 2007 × xss × security × rails ×


Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes. # 1st December 2007, 8:34 pm

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON. # 9th October 2007, 12:23 pm

XSS. Sanitising HTML is an extremely hard problem. The sanitize helper that ships with Rails is completely broken; Jacques Distler provides a better alternative. # 12th March 2007, 12:34 am

Types

Years

Months

Tags