Permalink
Browse files

removes mentions to RJS in the security guide

  • Loading branch information...
1 parent d8f23ca commit 6cf1fc5cda56896cad0239905dc8f4bfe73f8280 @fxn fxn committed Mar 29, 2011
Showing with 0 additions and 6 deletions.
  1. +0 −6 railties/guides/source/security.textile
@@ -893,12 +893,6 @@ h4. Ajax Injection
If you use the "in_place_editor plugin":http://dev.rubyonrails.org/browser/plugins/in_place_editing, or actions that return a string, rather than rendering a view, _(highlight)you have to escape the return value in the action_. Otherwise, if the return value contains a XSS string, the malicious code will be executed upon return to the browser. Escape any input value using the h() method.
-h4. RJS Injection
-
--- _Don't forget to escape in JavaScript (RJS) templates, too._
-
-The RJS API generates blocks of JavaScript code based on Ruby code, thus allowing you to manipulate a view or parts of a view from the server side. <em class="highlight">If you allow user input in RJS templates, do escape it using +escape_javascript()+ within JavaScript functions, and in HTML parts using +h()+</em>. Otherwise an attacker could execute arbitrary JavaScript.
-
h4. Command Line Injection
-- _Use user-supplied command line parameters with caution._

0 comments on commit 6cf1fc5

Please sign in to comment.