projects / catagits/Catalyst-Manual.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw (parent: 333f929)
Add clarification about need for "| html"
hkclark [Thu, 1 Sep 2011 11:20:57 +0000 (07:20 -0400)]
lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod patch | blob | blame | history

diff --git a/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod b/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
index 2322b3e..f19da1e 100644 (file)
--- a/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
+++ b/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
@@ -895,7 +895,10 @@ query parameter:
 Although the sample above only shows the C<content> div, leave the rest
 of the file intact -- the only change we made to the C<wrapper.tt2> was
 to add "C<|| c.request.params.status_msg>" to the
-C<E<lt>span class="message"E<gt>> line.
+C<E<lt>span class="message"E<gt>> line.  Note that we definitely want
+the "C<| html>" TT filter here since it would be easy for users to
+modify the message on the URL and possibly inject harmful code into the
+application if we left that off.
 
 
 =head2 Try the Delete and Redirect With Query Param Logic
Unnamed repository; edit this file 'description' to name the repository.