diff options
| author | Eileen M. Uchitelle <eileencodes@gmail.com> | 2015-05-09 11:54:47 -0400 |
|---|---|---|
| committer | Eileen M. Uchitelle <eileencodes@gmail.com> | 2015-05-09 11:54:47 -0400 |
| commit | 5b63a3d7d08bb3b85682877e8a6e8d2ea19da084 (patch) | |
| tree | dcc5d6626316bcb38bbc4b26ba63324dea93a35e | |
| parent | 16d7f6d08d0d64d56409f63e0d97a5b6b0307d59 (diff) | |
| parent | a834c64a75481dc62416bfb9f81834e5fe028ffe (diff) | |
| download | rails-5b63a3d7d08bb3b85682877e8a6e8d2ea19da084.tar.gz rails-5b63a3d7d08bb3b85682877e8a6e8d2ea19da084.tar.bz2 rails-5b63a3d7d08bb3b85682877e8a6e8d2ea19da084.zip | |
Merge pull request #20086 from farukaydin/before-action-doc
promote :except option instead of :only for before action docs [ci skip]
| -rw-r--r-- | guides/source/security.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 390375b75d..a464b83838 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -572,7 +572,7 @@ NOTE: _When sanitizing, protecting or verifying something, prefer whitelists ove A blacklist can be a list of bad e-mail addresses, non-public actions or bad HTML tags. This is opposed to a whitelist which lists the good e-mail addresses, public actions, good HTML tags and so on. Although sometimes it is not possible to create a whitelist (in a SPAM filter, for example), _prefer to use whitelist approaches_: -* Use before_action only: [...] instead of except: [...]. This way you don't forget to turn it off for newly added actions. +* Use before_action except: [...] instead of only: [...] for security-related actions. This way you don't forget to enable security checks for newly added actions. * Allow <strong> instead of removing <script> against Cross-Site Scripting (XSS). See below for details. * Don't try to correct user input by blacklists: * This will make the attack work: "<sc<script>ript>".gsub("<script>", "") |