diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile
index 066da15573..6b84ca1965 100644
--- a/railties/guides/source/security.textile
+++ b/railties/guides/source/security.textile
@@ -528,7 +528,7 @@ Ruby uses a slightly different approach than many other languages to match the e
class File < ActiveRecord::Base
- validates_format_of :name, :with => /^[\w\.\-\+]+$/ # [1]
+ validates_format_of :name, :with => /^[\w\.\-\+]+$/
end
@@ -541,13 +541,9 @@ file.txt%0A
Whereas %0A is a line feed in URL encoding, so Rails automatically converts it to "file.txt\n<script>alert('hello')</script>". This file name passes the filter because the regular expression matches – up to the line end, the rest does not matter. The correct expression should read:
-/\A[\w\.\-\+]+\z/ # [2]
+/\A[\w\.\-\+]+\z/
-fn1. Obviously, this regular expression gets rendered incorrectly by Textile. Could the original author please see into this?
-
-fn2. And this too, please.
-
h4. Privilege escalation
-- _Changing a single parameter may give the user unauthorized access. Remember that every parameter may be changed, no matter how much you hide or obfuscate it._