I released CrossSiteSniper version 0.3 today with one small enhancement.

In v0.2, only instance methods directly associated with a column in the database had the ability to get the data without html escaping via the _without_html_escaping call. Now,thanks to the magic of method_missing, that works on all methods. So, imagine you have a method defined in your model that draws from one or more text fields in your table. Usually each of those fields will be escaped by CrossSiteSniper. But now, calling that same method with the '_without_html_escaping' suffix will temporarily turn off html_escaping just long enough to for that method to get all all it's data and return the unescaped result of whatever it does. It's not a feature most people will have a need for, but we did come across a need for it at the day job, so now you can use it too.