Preventing XSS in a Rails app, accepted architecture?
I've read and understand the great ways Rails sanitizes data when going from server to client, but I have a question that I would love to get some guidance/input on.
Some developers are now discussing sanitizing all data and fields on form input, but I feel this is complete overkill since the problem is that we have client side vulnerablities with the popups, etc.
Does anyone out there actually sanitize values on form validation? Not only do I feel that this is overkill, it could lead to problems with data changing unexpectantly, etc.
What are your thoughts when architecting field persistance in a Rails app to prevent XSS?