Safe ERB plugin
Just put this plugin into vendor/plugins directory in your Rails application. No configuration is needed.
The string becomes tainted when it is read from IO, such as the data read from the DB or HTTP request. However, the request parameters are not tainted in functional and integration tests, and also if your server is Mongrel. Hence this plugin installs before_filter into ActionController::Base that always taints request parameters and cookies.
The taint check is done when the ERB template is complied from following methods in ActionController::Base:
The check is limited to these methods so that it won’t affect other parts of Rails using ERB, such as generators and the views for ActionMailer. To skip checking for specific controllers or actions, you can set @skip_checking_tainted variable to true in your filter or action.
The returned values from the following methods become untainted:
Also, you can always untaint any string manually by calling “untaint” method (standard Ruby feature).
There is currently no advanced documentation for this plugin.New documentation