the future releases of Rails, 2.3.5 and 3.0, will mark string as
html_safe if they can be outputted safely. You can see the details about
that on this commit for the 2.3 branch:
http://github.com/rails/rails/commit/80da8eb43dfabb4ca9f0adcb431882d03e6388bb.
The idea behind this change is to have an on-by-default XSS escaping in
Rails. RailsXss (http://github.com/nzkoz/rails_xss) is a plugin for
Rails 2.3 that brings this safety by using erubis.
Haml has a already an option for automatically escaping HTML strings,
but it can be improved by not escaping strings that are already marked
as html_safe.
For example, the following line should output a link:
Click on #{link_to 'this link', '/this-link'}
If the auto-escaping is enabled, haml will escape it, but Rails marks
the result of link_to as safe, so haml should not escape it.
I've tried to modify the code of haml, but I'm not very confident in my
changes, so a code review is welcomed.
The changes are on github: http://github.com/nono/haml/tree/rails_xss.
++
Bruno
Thanks. I've tested it on my app, and it seems to work fine.
++
Bruno