XSS security in Rails

It seems to me that if someone wanted a web application framework to be successful that focusing on a strong, yet unobtrusive, security model would be important. One reason PHP is avoided by many developers is that so many PHP applications are full of security vulnerabilities. I’ve always been a fan of escaping all content except when otherwise specified, the opposite of how Rails operates. I remember investigating early plugins to accomplish this but without much luck. It seems like there has been a lot of activity in this area and I thought I would investigate the landscape again.

• SafeERB - Seems immature and is apparently fairly difficult to work with (still requires everything to be escaped manually).
  • http://relevancellc.com/2008/1/9/is-your-rails-app-xss-safe
• xss-shield - Virtually no documentation.
  • http://relevancellc.com/2008/1/17/never-untaint
• xss_terminate - Can sanitize or strip tags on save; does not addresss html escaping.
  • http://railspikes.com/2008/1/28/auto-escaping-html-with-rails
• CrossSiteSniper
  • http://www.5valleys.com/posts/show/33

That last post is a good writeup on the shortcomings of the other solutions and how CrossSiteSniper avoids them. I think that will be my first plugin to try.