auto escaping html in Rails to protect from XSS
Tonight I found a plugin to auto escape html in order to protect from XSS attacks. I’m not sure why rails doesn’t do it out of the box (you have to use h() helper). Anyway the plugin is called xss_terminate and it can be found here. The cool thing about it is that now you can forget about h() 
.
The escaping will be default in Rails 3.
Christoph Olszowka
31 Jul 09 at 3:33 pm