On Friday, November 29, 2013 10:27:15 PM UTC+7, Egor Homakov wrote: > > @dhh as i mentioned above for GET request this will always be a security > breach. So leaving it for POST only? Doesn't make sense. > Also https://twitter.com/homakov/status/406426491937759232 > > On Friday, November 29, 2013 10:11:06 PM UTC+7, DHH wrote: >> >> Not only are js.erb templates not deprecated, they are a great way to >> develop an application with Ajax responses where you can reuse your >> server-side templates. It's fine to explore ways to make this more secure >> by default, but the fundamental development style of returning JS as a >> response is both architecturally sound and an integral part of Rails. So >> that's not going anywhere. >> >> So let's instead explore ways of having better escaping tools, warnings, >> or defaults that'll work with the wonders of RJS. >> >
-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
