XSS Shield protects your views against cross-site scripting attacks without error-prone manual escaping with h().

Instead of: <h3><%= h(item.name) %></h3> <p><%= link_to "#{h(item.first_name)}'s stuff", :action => :view, :id => item %></p>

You will be able to write: <h3><%= item.name %></h3> <p><%= link_to "#{item.first_name}'s stuff", :action => :view, :id => item %></p>

and all your views will be automatically protected. Protection works by tagging strings you trust - which are only those escaped by h(), generated by trusted helpers (like link_to, text_area, will_paginate etc.), or explicitly marked as trusted by you. If untrusted string is to be displayed in a template it is h-escaped first.

XSS Shield supports RHTML and HAML.

To install the plugin run: ./script/plugin install -x http://xss-shield.googlecode.com/svn/trunk/xss-shield/