@dhh as i mentioned above for GET request this will always be a security breach. So leaving it for POST only? Doesn't make sense. Also https://twitter.com/homakov/status/406426491937759232
On Friday, November 29, 2013 10:11:06 PM UTC+7, DHH wrote: > > Not only are js.erb templates not deprecated, they are a great way to > develop an application with Ajax responses where you can reuse your > server-side templates. It's fine to explore ways to make this more secure > by default, but the fundamental development style of returning JS as a > response is both architecturally sound and an integral part of Rails. So > that's not going anywhere. > > So let's instead explore ways of having better escaping tools, warnings, > or defaults that'll work with the wonders of RJS. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
