From: hkclark <hkclark@gmail.com>
Date: Thu, 1 Sep 2011 11:20:57 +0000 (-0400)
Subject: Add clarification about need for "| html"
X-Git-Tag: 5.9003~25^2~30
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Manual.git;a=commitdiff_plain;h=b3876d9eb98d14bd0b30e58c760fa7e4bcd3eaab

Add clarification about need for "| html"
---

diff --git a/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod b/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
index 2322b3e..f19da1e 100644
--- a/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
+++ b/lib/Catalyst/Manual/Tutorial/04_BasicCRUD.pod
@@ -895,7 +895,10 @@ query parameter:
 Although the sample above only shows the C<content> div, leave the rest
 of the file intact -- the only change we made to the C<wrapper.tt2> was
 to add "C<|| c.request.params.status_msg>" to the
-C<E<lt>span class="message"E<gt>> line.
+C<E<lt>span class="message"E<gt>> line.  Note that we definitely want
+the "C<| html>" TT filter here since it would be easy for users to
+modify the message on the URL and possibly inject harmful code into the
+application if we left that off.
 
 
 =head2 Try the Delete and Redirect With Query Param Logic