Last month on the Rails core mailing list, a thread popped up (that went on and on) wherein the idea was proposed that rhtml templates should automatically sanitize output by default. After much back and forth, David suggested those in favor redirect their energies toward a working plugin.
Enter stage left, Erubis. It’s a customized implementation of eRuby that provides a handful of features, notably that <%= %>
tags automatically sanitize output. You use <%== %>
if you don’t want to sanitize the output. For all those who wish rhtml files were sanitized by default, here is your solution.
Configure your Rails apps to use Erubis templates with ActionView::Base::register_template_handler
.