From 9a137506a1267ec5938fcec4d2ff135f15037459 Mon Sep 17 00:00:00 2001
From: Michael Schuerig <michael@schuerig.de>
Date: Mon, 12 May 2008 00:12:22 +0200
Subject: Added not to sanitize helper docs that it doesn't guarantee
 well-formed markup.

Signed-off-by: Michael Koziarski <michael@koziarski.com>

[#166 state:resolved]
---
 actionpack/lib/action_view/helpers/sanitize_helper.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb
index 3129ff414e..6c0a7ec25c 100644
--- a/actionpack/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb
@@ -48,6 +48,11 @@ module ActionView
       #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
       #   end
       # 
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid (conforming to a document type) or even well-formed.
+      # The output may still contain e.g. unescaped '<', '>', '&' characters and
+      # confuse browsers.
+      #
       def sanitize(html, options = {})
         self.class.white_list_sanitizer.sanitize(html, options)
       end
-- 
cgit v1.2.3