I'm not sure I follow why you'd want to get a log message every time
auto-escaping is invoked. It's *meant* to be invoked all the time,
I'm not sure that we could reliably detect an *unintentional*
invocation of auto-escaping compared to an intentional escaping of
params[:foo].
> Does anyone else think this would be useful or have any other ideas?
I'm not sure that there's going to be a silver bullet here, perhaps
look into what the django guys did? Maybe there's a clever idea there
somewhere. However I still think the best approach is a manual one.
First thing you should do is test your app in staging with the
rails_xss plugin for 2.3 (once 2.3.5 is out, or using 2-3-stable) that
uses the same fundamental logic.
Audit your helpers for places where you're building up strings instead
of using the content_tag and tag helpers.
Any places you're returning html from a model, make sure it's
sanitized before it's saved, then just mark the model method as safe.
I've ported two relatively sizable apps over and in both cases it was
relatively simple to see what was broken (entire divs missing because
they were escaped, etc) and it was only a day's work. Hopefully a
bunch of other people will go through the same process and we'll be
able to put together a nice "XSS changes" section for the 3.0 upgrade
guide.
--
Cheers
Koz