XSS Killer protects Rails apps from XSS vulnerabilities without h, sanitize, or taint/untaint proliferation.
XSS Killer will escape ActiveRecord string and text attributes when they're being read in an html view. When reading attributes in any other context, the model will return the original values as stored in the database.
In environment.rb:
config.gem "xss\_killer", "0.1.0"
For specific models:
class SomeModel < ActiveRecord::Base
kills\_xss :allow_injection => [:name], :sanitize => [:description, :body]
end
For all models:
class ActiveRecord::Base
kills\_xss
end
Rails >= 2.0
hosted on github
Released under Ruby's license