diff options
author | Vipul A M <vipulnsward@gmail.com> | 2016-11-18 00:11:48 +0530 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-11-18 00:11:48 +0530 |
commit | 8d015dff821875faab3429badbc378dc4c80b90c (patch) | |
tree | 155c9370bcd642bcf159c70cf6ef170cac7924f7 /guides/source | |
parent | a48740deed584523b45eafcc70439681e815af32 (diff) | |
download | rails-8d015dff821875faab3429badbc378dc4c80b90c.tar.gz rails-8d015dff821875faab3429badbc378dc4c80b90c.tar.bz2 rails-8d015dff821875faab3429badbc378dc4c80b90c.zip |
Remove mention of deprecated SafeERB gem from security docs for now, prior section already speaks about sanitization as a safety measure. [ci skip] (#27086)
Fixes #27085
Diffstat (limited to 'guides/source')
-rw-r--r-- | guides/source/security.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index aea9728c10..bb67eb75d9 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -762,7 +762,7 @@ s = sanitize(user_input, tags: tags, attributes: %w(href title)) This allows only the given tags and does a good job, even against all kinds of tricks and malformed tags. -As a second step, _it is good practice to escape all output of the application_, especially when re-displaying user input, which hasn't been input-filtered (as in the search form example earlier on). _Use `escapeHTML()` (or its alias `h()`) method_ to replace the HTML input characters &, ", <, and > by their uninterpreted representations in HTML (`&`, `"`, `<`, and `>`). However, it can easily happen that the programmer forgets to use it, so _it is recommended to use the SafeErb gem. SafeErb reminds you to escape strings from external sources. +As a second step, _it is good practice to escape all output of the application_, especially when re-displaying user input, which hasn't been input-filtered (as in the search form example earlier on). _Use `escapeHTML()` (or its alias `h()`) method_ to replace the HTML input characters &, ", <, and > by their uninterpreted representations in HTML (`&`, `"`, `<`, and `>`). ##### Obfuscation and Encoding Injection |