diff options
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/api_app.md | 2 | ||||
| -rw-r--r-- | guides/source/security.md | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/guides/source/api_app.md b/guides/source/api_app.md index 29ca872254..1652d91086 100644 --- a/guides/source/api_app.md +++ b/guides/source/api_app.md @@ -367,7 +367,7 @@ controller modules by default: methods returning `ActionDispatch::Request` and `ActionDispatch::Response` objects. - `ActionController::DataStreaming`: Support for `send_file` and `send_data`. -- `AbstractController::Callbacks`: Support for `before_filter` and friends. +- `AbstractController::Callbacks`: Support for `before_action` and friends. - `ActionController::Instrumentation`: Support for the instrumentation hooks defined by Action Controller (see [the instrumentation guide](active_support_instrumentation.html#action-controller)). diff --git a/guides/source/security.md b/guides/source/security.md index 850d111bd7..93c270064a 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -760,7 +760,7 @@ s = sanitize(user_input, tags: tags, attributes: %w(href title)) This allows only the given tags and does a good job, even against all kinds of tricks and malformed tags. -As a second step, _it is good practice to escape all output of the application_, especially when re-displaying user input, which hasn't been input-filtered (as in the search form example earlier on). _Use `escapeHTML()` (or its alias `h()`) method_ to replace the HTML input characters &, ", <, > by their uninterpreted representations in HTML (`&`, `"`, `<`;, and `>`). However, it can easily happen that the programmer forgets to use it, so _it is recommended to use the SafeErb gem. SafeErb reminds you to escape strings from external sources. +As a second step, _it is good practice to escape all output of the application_, especially when re-displaying user input, which hasn't been input-filtered (as in the search form example earlier on). _Use `escapeHTML()` (or its alias `h()`) method_ to replace the HTML input characters &, ", <, and > by their uninterpreted representations in HTML (`&`, `"`, `<`, and `>`). However, it can easily happen that the programmer forgets to use it, so _it is recommended to use the SafeErb gem. SafeErb reminds you to escape strings from external sources. ##### Obfuscation and Encoding Injection |