Psych.load is not safe for use with untrusted data. Too many applications make the mistake of using Psych.load with untrusted data and that ends up with some kind of security vulnerability.
This commit changes the default Psych.load to use safe_load. Users that want to parse trusted data can use Psych.unsafe_load.
Added by tenderlovemaking (Aaron Patterson) over 4 years ago
[ruby/psych] Use Psych.safe_load by default
Psych.load is not safe for use with untrusted data. Too many
applications make the mistake of using
Psych.loadwith untrusted dataand that ends up with some kind of security vulnerability.
This commit changes the default
Psych.loadto usesafe_load. Usersthat want to parse trusted data can use Psych.unsafe_load.
https://github.com/ruby/psych/commit/176494297f