[ryanlol]

Did you not notice how OP had absolutely nothing to say about the more serious bugs and instead entirely focused on the less serious ones? (Except for the rails-html-sanitizer bug, which is fairly serious)

He does make multiple valid points though.

[bpchaps]

I don't understand comments like these.. He's pointing out a legitimate attitude problem which I, and many others, also agree with. There's absolutely no need for the flippant attitude.

If the users of your framework are consistently causing major security problems and the framework is built in a way that it can't be fixed without compromise.. I dunno.. document it? Maybe? Your documentation is basically the API to learning your framework, so if the API is broken to the extent of causing security problems, then it's not god damn production ready!

Remember, if every student is failing your class, the student probably isn't the one to blame.

[enraged_camel]

>>Remember, if every student is failing your class, the student probably isn't the one to blame.

Except not every student is failing the class. Only those not following best practices are.

For example, if you're using params.permit!, you're simply being lazy. This is clearly documented[1]:

"Extreme care should be taken when using permit! as it will allow all current and future model attributes to be mass-assigned."

[1]https://github.com/rails/strong_parameters#permitted-scalar-...