Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

lzap's Profile

GitHub User: lzap

Site: lukas.zapletalovi.com

Comments by lzap

Avatar

Warning: link_to method is NOT safe because its not properly encoding all characters into percent-encoding (skipping slash)

In your video if you click on the link with "...</strong>" text your application woulnt probably work because the slash in this string would brake your routing rules.

Actually this is not an XSS safety but an attacker could provide a string that would break the app from working (broken links).

I have no idea why link_to encodes only few characters and not all according to the specs.