Open grimen opened 14 years ago
Is there a good way of supporting both? I wouldn't want to require rails_xss at this point.
I think that checkin if defined?(::RailsXss) is true would work. It's the top namespace for that plugin, which for now gets mixed in into ERB/Erubis.
OK, that is the checking part. But how is the best practice to either sanitize or don't all output?
In Rails 3 (the future) the practice will be to sanitize everything. To avoid santize one can use #raw(value). They released rails_xss plugin so that this practice can be used in Rails 2.3+ apps.
Yes, that is what I understood. The question is if there is any best practice for plugins to support both, with rails_xss and without. Do we need a custom "raw" helper when no rails_xss plugin is present?
No plugins usually not rely on RailsXss. but a best practice in Rails plugins would be to support migrating to Rails 3 - this plugin is released by Rails core, so.... In browsers feature-detection for javascript is the most scalable solution on such problems, and in Ruby feature-detection is very straightforward like so. I think that answers your question.
...with rails_xss plugin - which will be default in Rails 3, but many switches now already.