Not this chick. Sorry Rails, I love you and all, but you have now taken a governmental stance by trying to regulate the output of my HTML and for that, I must say: “Quit it!!”. If you haven’t caught up yet, Rails 3 takes HTML escaping into its own hands and instead of requiring you to use h() to escape your output, it’s now automagically escaped for you. Yay, that’s great right? No. Wrong. Because it means now anywhere you *didn’t* want your code escaped, you’ll have to use raw() or #html_safe. Also wrong because it enables bad, bad storage techniques.
First things first, you should be sanitizing your code prior to storage. Worried about someone adding JS to your public blog and breaking the site? Easy solution, throw away the <script> tag before writing to the db. There are plenty of tools to help with this, xss_terminate being one of them, there are even built-in Rails sanitizers. If you do it right on the way in, you won’t have to worry about it on the way out. Ok, so let’s say you potentially miss something? It happens, no one is perfect. That’s the perfect case to use escape trickery ( i.e. h() ) in the areas where you might be worried about your output.
In general, if you develop applications that resemble ones I build in anyway, you have more HTML output that *doesn’t* need to be sanitized than does. Sorry to whichever genius thought it would be a great idea to escape everything, but you made a bad decision. It’s okay, have a beer, wallow in your sorrows and then give users the option to turn this off. In the mean time, it’s easy to disable it yourself.
In config/initializers create a file, call it whatever, I called mine output_buffer.rb and all you need is:
class Object
def html_safe?
true
end
end
class String
def html_safe?
true
end
end