Convention over configuration

Posted by MSch Sat, 17 Dec 2005 12:31:00 GMT

Lucas Carlson tried to fix ERB’s html_escape to escape special characters, because he didn’t like that Rails produced instead of with this statement:

button_to '&lt; Back', :action => 'view', :id => 3

So he went on and patched ERB so that it supported escaping of ampersands (by prefixing them with a \) and till yesterday that seemed like the Ruby like solution to my. But then I woke up today and everything seemed clear.

I was a fool. Not only did I completely ignore the potential security breach (XSS) that was introduced by essentially removing html_escape’s teeth, but I also neglected to see the really Rails like solution.

Rails is based on many principles that sound like buzzwords, but in fact aren’t. Convention over configuration is one of them, and it means that there’s always one favoured way to do something. And for his problem this way is replacing the < with a plain old <:

button_to '< Back', :action => 'view', :id => 3

Tags rails | no comments | 1 trackback

Comments

Leave a response

Trackbacks

Use the following link to trackback from your own site:
http://blog.schuerrer.org/articles/trackback/7

nuke edit
From
big bra busters
big pimpin' papercut massive melons models w...

RSS feed for this post trackback uri

Your name	(leave url/email »)
Your blog
Your email
Your message
Comment Markup Help Preview comment

schuerrer.org Weblog

Martin Schuerrer's perspective