adding security misconfig text

config/application.rb

@@ -40,7 +40,7 @@ module Railsgoat
     config.filter_parameters += [:password]
 
     # Enable escaping HTML in JSON.
-    config.active_support.escape_html_entities_in_json = false
+    #config.active_support.escape_html_entities_in_json = false
 
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,

config/initializers/html_entities.rb

@@ -0,0 +1 @@
+ActiveSupport::escape_html_entities_in_json = false