Haml, Rails, Ruby
Tags

Rails XSS Protection and Haml

Posted October 17, 2009

2.2.5 will support it, too, as long as you’ve installed the plugin. All strings that are printed to a template will be HTML-escaped by default - if you have a string that’s known to be safe, you’ll need to manually mark it as such. This will make it much harder to make the kind of mistakes that allow XSS vulnerabilities into your app.

Haml’s supported a similar sort of XSS protection since version 2.0. If the :escape_html option is set to true, all strings are HTML-escaped by default. Special syntax is then used to insert raw HTML into the document. This option is generally not enabled by default in order to preserve backwards compatibility and to be consistent with what the user expects.

Haml versions 2.2.9 and onward support Rails’ XSS protection. This means that if you’ve got XSS protection enabled (either you’re running 2.2.5+ with the plugin, or you’re running 3.0 without the disabling plugin), Haml will escape everything by default just like ERB. It does this by enabling :escape_html, which means that you can still use the unescaping syntax to insert a raw string.

In addition to turning on :escape_html, Haml won’t escape strings that are marked as HTML-safe. It’ll also mark the output of its helpers as HTML-safe so that they don’t need to be passed to !=.

Vasiliy said October 19, 2009:

Hello.

Your atom feed are seems empty in my reader (Liferea) and firefox. Maybe mistakes in xml structure?

Nathan said October 19, 2009:

Sorry about that. It should be fixed now.

Comment Feed

Make your comments snazzy with Textile!