Monday, August 30, 2010

Rails 3 HTML Encodes by Default

Rails 3 came out recently, and the developers made a significant change that really improves the security posture of Rails 3.  They really embraced the "secure by default" security principle in their efforts to eliminate cross-site scripting.  Previously, unsafe user data had to be explicitly HTML encoded in order to avoid cross-site scripting.  This was done using the "h" tag.  For example:
<%= h(@unsafe_user_input) %>

In Rails 3, the default is to automatically HTML encode.  The "h" tag is no longer necessary.  Instead, developers must go out of their way to output HTML content to the page using the "raw" tag.  For example:
<%= raw(@unsafe_user_input) %>

I think the Rails developers took a really strong stance on this issue and it will result in a safer Ruby on Rails ecosystem.

Please see the video below for more details:
http://rubyonrails.org/screencasts/rails3/xss-ujs

There is also a really great Rails security guide found here:
http://guides.rubyonrails.org/security.html