|
|
|
|
|
|
by Someone1234
3794 days ago
|
|
|
They went through most of the issues and shifted blame for the issue from Rails to the developer/user. "Hopefully you didn't have this weird name in your routes." "Stripping tags isn't the best way anyway to filter XSS, so if you're encoding, you're good." "is negligence, you should not be doing that anyway" "is not defensive programming, so you should not be doing that too" It isn't "reflecting" it is blame shifting. And there's a huge difference between defensive programming and being psychic, in this case it is more the latter, as even features like the sanitiser we should have known better than to use as the docs tell us to. |
|
|