High Tech Sorcery

So in Rails 3 xss is protection is built in.  This is good.  In fact, I’ve wanted to see this since I first start coding rails in the 1.x days.  I have not started any Rails 3 projects yet but I have been playing with enabling this on a Rails 2.3.8 project by using erubis and the rails_xss gem.  Switching over I found lots of problems where strings which should be safe are being escaped.  Of course I can easily mark the string as safe but I wanted to learn why this was happening.  I found that the join method does not seem to keep strings safe.

1
2
3
4
5
6
7
8

>> ("foo".html_safe + "bar".html_safe).html_safe?
=> true
>> ("foo".html_safe << "bar".html_safe).html_safe?
=> true
>> ["foo".html_safe, "bar".html_safe].join.html_safe?
=> nil
>> ["foo".html_safe, "bar".html_safe].join(''.html_safe).html_safe?
=> nil

I’ve also noticed that mail_to does not return an html_safe string.  It appears to have been fixed in Rails 3 but not correct in the rails_xss gem.

I’m planning on buying/building a new computer and I think I will install Ubuntu 10.10 on it.  My plan is to use btrfs for the first time.  Risky, but I will be taking nightly backups.  However, Ubuntu 10.10 is planning on shipping with the Linux 2.6.35 which has a severe btrfs performance regression as documented here:

• Btrfs Did Regress Hard In The Linux 2.6.35 Kernel
• maverick btrfs slow install

But besides that I’m also hoping that the I/O performance situation will be improved.  It has been very difficult to track down where the bug is but I have certainly experienced it.  I haven’t tested the patches but if they work I hope they find there way into Ubuntu 10.10

• Fix “system goes unresponsive under memory pressure and lots of
  dirty/writeback pages” bug.
• Large I/O operations result in poor interactive performance and high iowait times
• The Linux Desktop Responsiveness Patches Are Feeling Good
• Heavy Disk I/O harms desktop responsiveness
• Very poor desktop response (high latency) during I/O-load with SATA+NCQ