Sanitize your output in Ruby on Rails

We all know about the holy h() method that escapes your output when you do <%=h blah %>. But how many of us can claim we remember to use it where it’s appropriate during development 100% of the time? Can you swear you’ve never missed one? Moreover, it’s such a mental distraction to think logic and h() at the same time. And when you take over a Rails project in the middle, how can you ensure the previous developers use h()?

Here’s the rescue.

safe_erb + footnotes

I don’t think I need to explain more. Just use it and you will find all those places where you should sanitize your output with h(), sanitize(), and untaint(), …etc.