Auto sanitized templates with Erubis

Posted by marcel March 16, 2006 @ 06:24 AM

Last month on the Rails core mailing list, a thread popped up (that went on and on) wherein the idea was proposed that rhtml templates should automatically sanitize output by default. After much back and forth, David suggested those in favor redirect their energies toward a working plugin.

Enter stage left, Erubis. It’s a customized implementation of eRuby that provides a handful of features, notably that <%= %> tags automatically sanitize output. You use <%== %> if you don’t want to sanitize the output. For all those who wish rhtml files were sanitized by default, here is your solution.

Configure your Rails apps to use Erubis templates with ActionView::Base::register_template_handler.

Posted in Releases, Tools | 11 comments

Comments

Leave a response

  1. Hendrik on 16 Mar 09:41:

    So with Erubis it’s <= and <== instead of <=h and <=. Awesome!

  2. Hendrik on 16 Mar 09:42:

    So with Erubis it’s <= and <== instead of <=h and <=. Awesome!

  3. Hendrik on 16 Mar 09:42:

    Oops, didn’t mean to double-post.

  4. Joe on 16 Mar 10:16:

    How about auto-textilized (RedCloth) templates?

  5. Dopey on 16 Mar 13:58:

    Maybe we can create plugins for Erubis.

    /vendor/plugins/erubis /vendor/plugins/erubis/vendor/plugins/h /vendor/plugins/erubis/vendor/plugins/red_cloth

    ruby script/plugin install erubis/red_cloth

    Nah just kidding

  6. Nicholas Wright on 16 Mar 16:34:

    What does ‘sanatize’ consist of? Does it encode all entities or does it just take care of angle brackets and quotes?

  7. Mike on 16 Mar 21:09:

    Sanitizing is context-sensitive! E. g. in a JavaScript context you need to look out for other characters than in in a HTML context. Unless Erubis analyses the page and where the tag is placed in the page and then chooses the right kind of sanitization I guess you are creating a false sense of security.

    Just my 2c.

  8. Daniel Luz on 17 Mar 06:41:

    I agree with Mike. Not only because of javascript escaping, but also because this implementation won’t help at all with helper methods: you’ll still need to do <%== link_to(h(text)) %>.

    Don’t take me wrong: I’d love to see a good safe (auto-sanitized) template rendering, but Erubis as it is does not mix well with the rest of the framework, because of the helpers.

  9. Daniel Luz on 17 Mar 06:41:

    I agree with Mike. Not only because of javascript escaping, but also because this implementation won’t help at all with helper methods: you’ll still need to do <%== link_to(h(text)) %>.

    Don’t take me wrong: I’d love to see a good safe (auto-sanitized) template rendering, but Erubis as it is does not mix well with the rest of the framework, because of the helpers.

  10. Peter Marklund on 17 Mar 17:07:

    I tried to set this up today with Erubis but couldn’t get it to work. I got Rails to use Erubis for template parsing but it bombed out on the front page for a reason that I couldn’t quite track down.

    Anybody else have this successfully setup? Anybody working on a plugin already?

    I think templating systems should quote by default. We went down exactly this route with the OpenACS framework and it worked out great.

  11. twifkak on 17 Mar 20:31:

    Makes sense. Equivalent to SQL-quoting by default.

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals