So in Rails 3 xss is protection is built in. This is good. In fact, I’ve wanted to see this since I first start coding rails in the 1.x days. I have not started any Rails 3 projects yet but I have been playing with enabling this on a Rails 2.3.8 project by using erubis and the rails_xss gem. Switching over I found lots of problems where strings which should be safe are being escaped. Of course I can easily mark the string as safe but I wanted to learn why this was happening. I found that the join method does not seem to keep strings safe.
>> ("foo".html_safe + "bar".html_safe).html_safe? => true >> ("foo".html_safe << "bar".html_safe).html_safe? => true >> ["foo".html_safe, "bar".html_safe].join.html_safe? => nil >> ["foo".html_safe, "bar".html_safe].join(''.html_safe).html_safe? => nil
I’ve also noticed that mail_to does not return an html_safe string. It appears to have been fixed in Rails 3 but not correct in the rails_xss gem.