From mboxrd@z Thu Jan 1 00:00:00 1970 Delivered-To: chneukirchen@gmail.com Received: by 10.86.99.8 with SMTP id w8cs90921fgb; Mon, 5 Oct 2009 15:54:56 -0700 (PDT) Return-Path: Received-SPF: pass (google.com: domain of grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com designates 10.101.67.1 as permitted sender) client-ip=10.101.67.1; Authentication-Results: mr.google.com; spf=pass (google.com: domain of grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com designates 10.101.67.1 as permitted sender) smtp.mail=grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com; dkim=pass header.i=grbounce-ceibQwUAAAB4YPBqaDIjI2bFOCxyyh3G=chneukirchen=gmail.com@googlegroups.com Received: from mr.google.com ([10.101.67.1]) by 10.101.67.1 with SMTP id u1mr7884679ank.10.1254783295720 (num_hops = 1); Mon, 05 Oct 2009 15:54:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=beta; h=domainkey-signature:received:received:x-sender:x-apparently-to :mime-version:content-type:received:date:x-ip:user-agent :x-http-useragent:message-id:subject:from:to:x-google-approved :reply-to:sender:precedence:x-google-loop:mailing-list:list-id :list-post:list-help:list-unsubscribe:x-beenthere-env:x-beenthere; bh=YYUu1bKppeXdqifLqskAEYGBISYF0AV3YwtuVFHaIAI=; b=MBXm2vcKIuwvhXSr2EctZcqQoRAnfmig5K55HEyEzumvPzbfugtzpT65FHz/PxmRVu Y03gEA9JSmPQ1mWKN6ZftcnhKXodOo274uT0QRZTg4uFdQW6JYYYKqExHyX56Hug6Vgt ce6IySZEqgKG1+0T9d8j1H/fQflUOu3zACVIQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlegroups.com; s=beta; h=x-sender:x-apparently-to:mime-version:content-type:date:x-ip :user-agent:x-http-useragent:message-id:subject:from:to :x-google-approved:reply-to:sender:precedence:x-google-loop :mailing-list:list-id:list-post:list-help:list-unsubscribe :x-beenthere-env:x-beenthere; b=VtPlQ5vDTSLPNJOVNTX7su1KNGc8I5ON30eIJc8/W/9JcS++KQ8Nj+YDTeLPwr68dU Ow8uZAIB+IfiRl6PzbIjTe7AOeJMthOLbJlJihRqK4rfZwprURXJBvOb3uQ2fkqxc+/G kCc9hEgwYoKd6t/VPXt05f5ztic9lZOWDGa+I= Received: by 10.101.67.1 with SMTP id u1mr804166ank.10.1254783295632; Mon, 05 Oct 2009 15:54:55 -0700 (PDT) Received: by 10.176.233.14 with SMTP id f14gr1677yqh.0; Mon, 05 Oct 2009 15:54:51 -0700 (PDT) X-Sender: koziarski@gmail.com X-Apparently-To: rack-devel@googlegroups.com Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Received: by 10.100.199.19 with SMTP id w19mr799551anf.13.1254779880496; Mon, 05 Oct 2009 14:58:00 -0700 (PDT) Date: Mon, 5 Oct 2009 14:58:00 -0700 (PDT) X-IP: 202.124.96.158 User-Agent: G2/1.0 X-HTTP-UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.220.1 Safari/532.2,gzip(gfe),gzip(gfe) Message-ID: Subject: Questions about the Prohibition of String Subclasses in responses From: Michael Koziarski To: Rack Development X-Google-Approved: kenneth.kalmer@gmail.com via web at 2009-10-05 22:54:50 Reply-To: rack-devel@googlegroups.com Sender: rack-devel@googlegroups.com Precedence: bulk X-Google-Loop: groups Mailing-List: list rack-devel@googlegroups.com; contact rack-devel+owner@googlegroups.com List-Id: List-Post: List-Help: List-Unsubscribe: , X-BeenThere-Env: rack-devel@googlegroups.com X-BeenThere: rack-devel@googlegroups.com Hey Guys, As I prepare to merge the new on-by-default XSS protection into rails I'm bumping up against a constraint in rack, and I'm having trouble figuring out why it's there. http://github.com/chneukirchen/rack/blob/master/lib/rack/lint.rb#L465-475 Our XSS safe responses will fail this test because they return an instance of ActionView::SafeBuffer which is a subclass of String. We use a subclass so that we can make all the concat and append operations escape their arguments. What's the rationale for preventing me from sending a subclass of string? Can we just change this stuff to use Object#kind_of? instead? Cheers Koz