README.markdown

Path: README.markdown
Last Update: Sat Feb 23 07:12:51 +0000 2019

RailsXss

==

This plugin replaces the default ERB template handlers with erubis, and switches the behaviour to escape by default rather than requiring you to escape. This is consistent with the behaviour in Rails 3.0.

Strings now have a notion of "html safe", which is false by default. Whenever rails copies a string into the response body it checks whether or not the string is safe, safe strings are copied verbatim into the response body, but unsafe strings are escaped first.

All the XSS-proof helpers like link_to and form_tag now return safe strings, and will continue to work unmodified. If you have your own helpers which return strings you know are safe, you will need to explicitly tell rails that they‘re safe. For an example, take the following helper. 

    def some_helper
      (1..5).map do |i|
        "<li>#{i}</li>"
      end.join("\n")
    end

With this plugin installed, the html will be escaped. So you will need to do one of the following:

1) Use the raw helper in your template. raw will ensure that your string is copied verbatim into the response body. 

    <%= raw some_helper %>

2) Mark the string as safe in the helper itself: 

    def some_helper
      (1..5).map do |i|
        "<li>#{i}</li>"
      end.join("\n").html_safe
    end

3) Use the safe_helper meta programming method: 

    module ApplicationHelper
      def some_helper
        #...
      end
      safe_helper :some_helper
    end

Example

[Validate]