Commit 07999dca authored by Marcia Ramos's avatar Marcia Ramos

Merge branch 'mbergeron-master-patch-77366' into 'master'

Update doc/development/secure_coding_guidelines.md

See merge request gitlab-org/gitlab!45407
parents 7539e346 2577cc97
...@@ -311,6 +311,7 @@ Specifically, the following options are dangerous because they mark strings as t ...@@ -311,6 +311,7 @@ Specifically, the following options are dangerous because they mark strings as t
|----------------------|-------------------------------| |----------------------|-------------------------------|
| HAML templates | `html_safe`, `raw`, `!=` | | HAML templates | `html_safe`, `raw`, `!=` |
| Embedded Ruby (ERB) | `html_safe`, `raw`, `<%== %>` | | Embedded Ruby (ERB) | `html_safe`, `raw`, `<%== %>` |
In case you want to sanitize user-controlled values against XSS vulnerabilities, you can use In case you want to sanitize user-controlled values against XSS vulnerabilities, you can use
[`ActionView::Helpers::SanitizeHelper`](https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html). [`ActionView::Helpers::SanitizeHelper`](https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html).
Calling `link_to` and `redirect_to` with user-controlled parameters can also lead to cross-site scripting. Calling `link_to` and `redirect_to` with user-controlled parameters can also lead to cross-site scripting.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment