Escaping HTML with xss_terminate
Contrast to what Sarat says, I am security conscious, as this post will demonstrate.
Even though the odds were against me as hardly no-one reads this site, for a long while now, I was paranoid that this space would be subject to some nasty hackage in the form of cross-site scripting(XSS). Rails 101 tells you to escape user-generate content by prepending your calls with h in the template, easy enough.
For a while I blindly adhered to this rule, thinking it was something I had to put up with, till it dawned on me that this kinda functionality should be built into rails from the get-go, like how django does it.
I scoured the interwebs for a decent solution to this problem, as I wanted user-generated content to be stripped automatically. I found a relatively new solution called xss_terminate, which sanitizes any naughty html from user input(other than my own ofcourse cos I play nice), so I can install and forget on that front…for now atleast. If you want to read more into this, a more detailed explanation of xss_terminate can be found at Rail Spikes.
Just to make clear this isn’t an open invitation to try and break this blog either, ciao for now 
Enjoyed this article? Be sure to subscribe to my RSS feed.
