diff options
author | Gaurav Sharma <gaurav2728@gmail.com> | 2014-06-06 17:10:36 +0530 |
---|---|---|
committer | Gaurav Sharma <gaurav2728@gmail.com> | 2014-06-06 22:26:56 +0530 |
commit | 19ef270923cfa498b904cb3cc4484c83e463f371 (patch) | |
tree | 246aa0e4b4f0f3c75d4b9dd91b6aa662ba1d9536 /guides/source/security.md | |
parent | 0502189b504640a95a4729fac5c6a41c27de960f (diff) | |
download | rails-19ef270923cfa498b904cb3cc4484c83e463f371.tar.gz rails-19ef270923cfa498b904cb3cc4484c83e463f371.tar.bz2 rails-19ef270923cfa498b904cb3cc4484c83e463f371.zip |
remove rubyforge.org that was shut down [ci skip]
Diffstat (limited to 'guides/source/security.md')
-rw-r--r-- | guides/source/security.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 75d8c8e4c8..7e39986f8b 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -741,7 +741,7 @@ s = sanitize(user_input, tags: tags, attributes: %w(href title)) This allows only the given tags and does a good job, even against all kinds of tricks and malformed tags. -As a second step, _it is good practice to escape all output of the application_, especially when re-displaying user input, which hasn't been input-filtered (as in the search form example earlier on). _Use `escapeHTML()` (or its alias `h()`) method_ to replace the HTML input characters &, ", <, > by their uninterpreted representations in HTML (`&`, `"`, `<`;, and `>`). However, it can easily happen that the programmer forgets to use it, so _it is recommended to use the [SafeErb](http://safe-erb.rubyforge.org/svn/plugins/safe_erb/) plugin_. SafeErb reminds you to escape strings from external sources. +As a second step, _it is good practice to escape all output of the application_, especially when re-displaying user input, which hasn't been input-filtered (as in the search form example earlier on). _Use `escapeHTML()` (or its alias `h()`) method_ to replace the HTML input characters &, ", <, > by their uninterpreted representations in HTML (`&`, `"`, `<`;, and `>`). However, it can easily happen that the programmer forgets to use it, so _it is recommended to use the SafeErb gem. SafeErb reminds you to escape strings from external sources. ##### Obfuscation and Encoding Injection |