From 6cf1fc5cda56896cad0239905dc8f4bfe73f8280 Mon Sep 17 00:00:00 2001 From: Xavier Noria Date: Tue, 29 Mar 2011 22:14:11 +0200 Subject: [PATCH] removes mentions to RJS in the security guide --- railties/guides/source/security.textile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 893f65856c..c9dc1c2d7c 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -893,12 +893,6 @@ h4. Ajax Injection If you use the "in_place_editor plugin":http://dev.rubyonrails.org/browser/plugins/in_place_editing, or actions that return a string, rather than rendering a view, _(highlight)you have to escape the return value in the action_. Otherwise, if the return value contains a XSS string, the malicious code will be executed upon return to the browser. Escape any input value using the h() method. -h4. RJS Injection - --- _Don't forget to escape in JavaScript (RJS) templates, too._ - -The RJS API generates blocks of JavaScript code based on Ruby code, thus allowing you to manipulate a view or parts of a view from the server side. If you allow user input in RJS templates, do escape it using +escape_javascript()+ within JavaScript functions, and in HTML parts using +h()+. Otherwise an attacker could execute arbitrary JavaScript. - h4. Command Line Injection -- _Use user-supplied command line parameters with caution._ -- GitLab