Closed helenaut closed 12 years ago
andrewnguyen
commented
12 years ago So a form_tag does produce an authenticity token. So the worry is about the string interpolation? If so, could it actually cause a security flaw? I know for a sql statement this would be bad and I know parts of the url can get put into any created queries, but at that point I think the offending parts would be sanitized.
sheelc
commented
12 years ago I think what Helen meant is that it should use a path helper, something like:
= form_tag nurse_calendar_path(@nurse, @id), :method => :put do
would probably do the trick to remove the dependence on the hardcoded URI. It does not seem to be a security concern though, more of a convention issue.
helenaut
commented
12 years ago yep what sheel said. should make refactoring/lives easier in the future too! :D
wait so would that make it an enhancement or a bug?
batailleye
commented
12 years ago Added the approved by the book helpers.
I am david & I am awesome!!!!!
helenaut
commented
12 years ago I wish I could like comments. but I can only edit and delete them.
= form_tag "/nurse/#{@nurse_id}/calendar/#{@id}", :method => :put do
should use a form helper.