stffn
commented
14 years ago Is there a good way of supporting both? I wouldn't want to require rails_xss at this point.
Open grimen opened 14 years ago
stffn
commented
14 years ago Is there a good way of supporting both? I wouldn't want to require rails_xss at this point.
grimen
commented
14 years ago I think that checkin if defined?(::RailsXss) is true would work. It's the top namespace for that plugin, which for now gets mixed in into ERB/Erubis.
stffn
commented
14 years ago OK, that is the checking part. But how is the best practice to either sanitize or don't all output?
grimen
commented
14 years ago In Rails 3 (the future) the practice will be to sanitize everything. To avoid santize one can use #raw(value). They released rails_xss plugin so that this practice can be used in Rails 2.3+ apps.
stffn
commented
14 years ago Yes, that is what I understood. The question is if there is any best practice for plugins to support both, with rails_xss and without. Do we need a custom "raw" helper when no rails_xss plugin is present?
grimen
commented
14 years ago No plugins usually not rely on RailsXss. but a best practice in Rails plugins would be to support migrating to Rails 3 - this plugin is released by Rails core, so.... In browsers feature-detection for javascript is the most scalable solution on such problems, and in Ruby feature-detection is very straightforward like so. I think that answers your question.
...with rails_xss plugin - which will be default in Rails 3, but many switches now already.