X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Manual.git;a=blobdiff_plain;f=lib%2FCatalyst%2FManual%2FTutorial%2F04_BasicCRUD.pod;h=f19da1ee59fd102bbaa48e227df4aefe4b9dc1b3;hp=2322b3e16c5696fe2ddcb32de689648ad71c55d5;hb=b3876d9eb98d14bd0b30e58c760fa7e4bcd3eaab;hpb=d5d7ee980cf02b9a519bc006a0f85b965d028ee2

diff --git a/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod b/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
index 2322b3e..f19da1e 100644
--- a/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
+++ b/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
@@ -895,7 +895,10 @@ query parameter:
 Although the sample above only shows the C<content> div, leave the rest
 of the file intact -- the only change we made to the C<wrapper.tt2> was
 to add "C<|| c.request.params.status_msg>" to the
-C<E<lt>span class="message"E<gt>> line.
+C<E<lt>span class="message"E<gt>> line.  Note that we definitely want
+the "C<| html>" TT filter here since it would be easy for users to
+modify the message on the URL and possibly inject harmful code into the
+application if we left that off.
 
 
 =head2 Try the Delete and Redirect With Query Param Logic