diff options
author | Michael Schuerig <michael@schuerig.de> | 2008-05-12 00:12:22 +0200 |
---|---|---|
committer | Michael Koziarski <michael@koziarski.com> | 2008-05-12 10:22:17 +1200 |
commit | 9a137506a1267ec5938fcec4d2ff135f15037459 (patch) | |
tree | ee0438a682fdd3b5e8f86165e7b72485b2031003 /actionpack/lib/action_view/helpers | |
parent | 236f0bb67adecbc1e6dac5258e4a8cb310ffd7a4 (diff) | |
download | rails-9a137506a1267ec5938fcec4d2ff135f15037459.tar.gz rails-9a137506a1267ec5938fcec4d2ff135f15037459.tar.bz2 rails-9a137506a1267ec5938fcec4d2ff135f15037459.zip |
Added not to sanitize helper docs that it doesn't guarantee well-formed markup.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#166 state:resolved]
Diffstat (limited to 'actionpack/lib/action_view/helpers')
-rw-r--r-- | actionpack/lib/action_view/helpers/sanitize_helper.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb index 3129ff414e..6c0a7ec25c 100644 --- a/actionpack/lib/action_view/helpers/sanitize_helper.rb +++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb @@ -48,6 +48,11 @@ module ActionView # config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' # end # + # Please note that sanitizing user-provided text does not guarantee that the + # resulting markup is valid (conforming to a document type) or even well-formed. + # The output may still contain e.g. unescaped '<', '>', '&' characters and + # confuse browsers. + # def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options) end |