README.md in hightop-0.2.4 vs README.md in hightop-0.3.0
- old
+ new
@@ -11,11 +11,11 @@
# }
```
Works with Active Record, Mongoid, arrays and hashes
-[](https://travis-ci.org/ankane/hightop)
+[](https://github.com/ankane/hightop/actions)
## Installation
Add this line to your application’s Gemfile:
@@ -59,23 +59,10 @@
```ruby
Visit.top(:city, min: 10)
```
-## User Input
-
-If passing user input as the column, be sure to sanitize it first [like you must](https://rails-sqli.org/) with `group`.
-
-```ruby
-column = params[:column]
-
-# check against permitted columns
-raise "Unpermitted column" unless ["column_a", "column_b"].include?(column)
-
-User.top(column)
-```
-
## Arrays and Hashes
Arrays
```ruby
@@ -104,10 +91,22 @@
```ruby
["up", "up", "down"].top(min: 2)
```
+## Upgrading
+
+### 0.3.0
+
+Hightop 0.3.0 protects against unsafe input by default. For non-attribute arguments, use:
+
+```ruby
+Visit.top(Arel.sql(known_safe_value))
+```
+
+Also, the `uniq` option has been removed. Use `distinct` instead.
+
## History
View the [changelog](https://github.com/ankane/hightop/blob/master/CHANGELOG.md)
## Contributing
@@ -117,10 +116,10 @@
- [Report bugs](https://github.com/ankane/hightop/issues)
- Fix bugs and [submit pull requests](https://github.com/ankane/hightop/pulls)
- Write, clarify, or fix documentation
- Suggest or add new features
-To get started with development and testing:
+To get started with development:
```sh
git clone https://github.com/ankane/hightop.git
cd hightop
bundle install