diff options
| author | Francesco Rodriguez <lrodriguezsanc@gmail.com> | 2012-12-10 19:04:11 -0500 |
|---|---|---|
| committer | Francesco Rodriguez <lrodriguezsanc@gmail.com> | 2012-12-10 19:04:11 -0500 |
| commit | 46d63d5b209e170687860ce4122b07070342c3ba (patch) | |
| tree | 24c2517db3808f49166ff4456f9dc7031289fb3a | |
| parent | 336bbb17e335323c0828165dd8f8f09b627664f1 (diff) | |
| download | rails-46d63d5b209e170687860ce4122b07070342c3ba.tar.gz rails-46d63d5b209e170687860ce4122b07070342c3ba.tar.bz2 rails-46d63d5b209e170687860ce4122b07070342c3ba.zip | |
remove Mass Assignment reference from Security GuideĀ [ci skip]
| -rw-r--r-- | guides/source/security.md | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index a2a7e5baae..8096ea2383 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -554,7 +554,6 @@ NOTE: _When sanitizing, protecting or verifying something, whitelists over black A blacklist can be a list of bad e-mail addresses, non-public actions or bad HTML tags. This is opposed to a whitelist which lists the good e-mail addresses, public actions, good HTML tags and so on. Although sometimes it is not possible to create a whitelist (in a SPAM filter, for example), _prefer to use whitelist approaches_: * Use before_action only: [...] instead of except: [...]. This way you don't forget to turn it off for newly added actions. -* Use attr_accessible instead of attr_protected. See the mass-assignment section for details * Allow <strong> instead of removing <script> against Cross-Site Scripting (XSS). See below for details. * Don't try to correct user input by blacklists: * This will make the attack work: "<sc<script>ript>".gsub("<script>", "") |