Sorry, wrong patch applied.

railties/guides/source/security.textile

@@ -528,7 +528,7 @@ Ruby uses a slightly different approach than many other languages to match the e
 
 <ruby>
 class File < ActiveRecord::Base
-  validates_format_of :name, :with => /^[\w\.\-\+]+$/ # [1]
+  validates_format_of :name, :with => /^[\w\.\-\+]+$/
 end
 </ruby>
 
@@ -541,13 +541,9 @@ file.txt%0A<script>alert('hello')</script>
 Whereas %0A is a line feed in URL encoding, so Rails automatically converts it to "file.txt\n&lt;script&gt;alert('hello')&lt;/script&gt;". This file name passes the filter because the regular expression matches – up to the line end, the rest does not matter. The correct expression should read:
 
 <ruby>
-/\A[\w\.\-\+]+\z/ # [2]
+/\A[\w\.\-\+]+\z/
 </ruby>
 
-fn1. Obviously, this regular expression gets rendered incorrectly by Textile. Could the original author please see into this?
-
-fn2. And this too, please.
-
 h4. Privilege escalation
 
 -- _Changing a single parameter may give the user unauthorized access. Remember that every parameter may be changed, no matter how much you hide or obfuscate it._