RailsCasts Pro episodes are now free!

Learn more or hide this

lzap's Profile

GitHub User: lzap

Site: lukas.zapletalovi.com

Comments by lzap


Warning: link_to method is NOT safe because its not properly encoding all characters into percent-encoding (skipping slash)

In your video if you click on the link with "...</strong>" text your application woulnt probably work because the slash in this string would brake your routing rules.

Actually this is not an XSS safety but an attacker could provide a string that would break the app from working (broken links).

I have no idea why link_to encodes only few characters and not all according to the specs.