From c06140659c35741533604c72c22705dfc30c4664 Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Tue, 12 Nov 2013 16:10:38 -0500
Subject: [PATCH 1/2] updated description with owasp one

---
 .../layouts/tutorial/insecure_dor/_insecure_dor_first.html.erb  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/layouts/tutorial/insecure_dor/_insecure_dor_first.html.erb b/app/views/layouts/tutorial/insecure_dor/_insecure_dor_first.html.erb
index c30b6eb..670b8a3 100755
--- a/app/views/layouts/tutorial/insecure_dor/_insecure_dor_first.html.erb
+++ b/app/views/layouts/tutorial/insecure_dor/_insecure_dor_first.html.erb
@@ -17,7 +17,7 @@
           <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
             <div class="accordion-inner">
               <p class="desc">
-	A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
+	Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified.
 	 		  </p>
             </div>
           </div>

From 108c8d2e2aa2efe6a9ac8912dd98d0570b8226d9 Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Tue, 12 Nov 2013 16:11:30 -0500
Subject: [PATCH 2/2] turning off whitelisting and entities encoding

---
 config/application.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/application.rb b/config/application.rb
index 4bac9da..1d45be7 100755
--- a/config/application.rb
+++ b/config/application.rb
@@ -40,7 +40,7 @@ module Railsgoat
     config.filter_parameters += [:password]
 
     # Enable escaping HTML in JSON.
-    config.active_support.escape_html_entities_in_json = true
+    config.active_support.escape_html_entities_in_json = false
 
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
@@ -51,7 +51,7 @@ module Railsgoat
     # This will create an empty whitelist of attributes available for mass-assignment for all models
     # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
     # parameters by using an attr_accessible or attr_protected declaration.
-    config.active_record.whitelist_attributes = true
+    config.active_record.whitelist_attributes = false
 
     # Enable the asset pipeline
     config.assets.enabled = true