The company I work for – Code Sprinters – released three rails plugins I wrote under the MIT licence.
OutputStream and FlashMessages
Those two plugins allow safe mixing of unescaped text and html content. Strings are marked as being in either format and then are escaped appropriately in the view layer. This allows the developer to embed eg. links to other pages in flash messages without worrying about having some other piece of data unescaped.
Strings not marked explicitly as safe for html are escaped with default rails h() helper.
Although currently the plugin only knows how to escape text output to HTML, it can be easily extended to support other formats.
Expose
This plugin is inspired by CherryPy (http://www.cherrypy.org) – a simple yet powerful HTTP application server (and microframework).
This plugin changes the default policy of exporting all public methods of controllers via HTTP protocol to only exporting explicitly stated methods – and only to specified HTTP verbs. This helps prevent mistakingly exposing methods that should only be filters – or exposing via GET methods that should only accept POSTs.
Also, this is generally good practice to deny access by default – and allow access only when explicitly stated.
For actual downloads, go to the plugin page.
March 16, 2008 at 10:21 pm |
Those plugins make Rails loose conventions a bit more strict in order to increase security, an important factor which is often overlooked.
PS. Just wanted to point out that the actual name of the company is Code Sprinters not Codesprinters