Luis
6/28/2007 7:11:00 PM
Oh woops, my mistake! Meant to send this to the Rails list.
On 6/28/07, Luis <luis.chato@gmail.com> wrote:
> I am writing an application where I know that I do not need to allow
> any HTML input from a user.
>
> I am considering using before_filter at the controller level to call a
> method that essentially performs the following on the appropriate
> members of the params hash:
> - call strip_tags()
> - escape any remaining characters with h()
>
> The reason why I am doing this is it seems repetitive and error prone
> to have to call the above method every time in a view where user input
> is being displayed. Ultimately, I would prefer to store the data in as
> "non-malicious" format as possible and not have to worry at the
> presentation level of escaping that data at a later time.
>
> Is there a better way to do this? Is there existing code that does
> this already? Some googling yielded nothing specific other than
> postings to the effect of "in your view, make sure to use h()".
>