GitHub User: lzap
Site: lukas.zapletalovi.com
-
watch on iTunes
-
follow on Twitter
-
follow on Facebook
-
subscribe to RSS feed
watch on iTunes
follow on Twitter
follow on Facebook
subscribe to RSS feed
Warning: link_to method is NOT safe because its not properly encoding all characters into percent-encoding (skipping slash)
In your video if you click on the link with "...</strong>" text your application woulnt probably work because the slash in this string would brake your routing rules.
Actually this is not an XSS safety but an attacker could provide a string that would break the app from working (broken links).
I have no idea why link_to encodes only few characters and not all according to the specs.