avoid-content-tag
avoid-render-inline
avoid-link-to
link_to
. In Rails 2.x, the body of link_to
is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with javascript:
or data:
are not escaped. It is better to create and use a safer function which checks the body argument.avoid-html-safe
manual-template-creation
avoid-raw
html_safe()
.avoid-redirect
avoid-default-routes
avoid-render-text
avoid-render-dynamic-path