Merge branch 'master' of git@github.com:rails/rails

author: Pratik Naik <pratiknaik@gmail.com> 2008-05-11 23:59:27 +0100
committer: Pratik Naik <pratiknaik@gmail.com> 2008-05-11 23:59:27 +0100
commit: c11bd7e713c7e79c579dd901585652c959d1e2c7 (patch)
tree: 16a44a7df198c00f03fdcaa6853264f00170523e /actionpack/lib/action_view
parent: 80e18e759e5244bbffd637e306f4f18b92af5caf (diff)
parent: 9a137506a1267ec5938fcec4d2ff135f15037459 (diff)
download: rails-c11bd7e713c7e79c579dd901585652c959d1e2c7.tar.gz
rails-c11bd7e713c7e79c579dd901585652c959d1e2c7.tar.bz2
rails-c11bd7e713c7e79c579dd901585652c959d1e2c7.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb
index 3129ff414e..6c0a7ec25c 100644
--- a/actionpack/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb
@@ -48,6 +48,11 @@ module ActionView
       #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
       #   end
       # 
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid (conforming to a document type) or even well-formed.
+      # The output may still contain e.g. unescaped '<', '>', '&' characters and
+      # confuse browsers.
+      #
       def sanitize(html, options = {})
         self.class.white_list_sanitizer.sanitize(html, options)
       end
author	Pratik Naik <pratiknaik@gmail.com>	2008-05-11 23:59:27 +0100
committer	Pratik Naik <pratiknaik@gmail.com>	2008-05-11 23:59:27 +0100
commit	c11bd7e713c7e79c579dd901585652c959d1e2c7 (patch)
tree	16a44a7df198c00f03fdcaa6853264f00170523e /actionpack/lib/action_view
parent	80e18e759e5244bbffd637e306f4f18b92af5caf (diff)
parent	9a137506a1267ec5938fcec4d2ff135f15037459 (diff)
download	rails-c11bd7e713c7e79c579dd901585652c959d1e2c7.tar.gz rails-c11bd7e713c7e79c579dd901585652c959d1e2c7.tar.bz2 rails-c11bd7e713c7e79c579dd901585652c959d1e2c7.zip