ParameterCleaner
Strips angle brackets from user input on the way into the application,
providing an extra level of security against XSS attacks even when
someone forgets an h()
in a template.
This is not a replacement for proper escaping!
Exclusions
Password fields (anything matching /password/
) are not stripped. For one
thing, users should be allowed to make strong passwords; for another, you’re
never going to display them in the application. Right?
For fields where you want to allow angle brackets, you can disable it on a parameter-by-parameter basis:
class SomeController < ApplicationController
do_not_clean_param [:thing, :html_description]
end
The array corresponds to the hash keys used to get to the parameter; there is no distinction between string parameters and array parameters.
Form parameter | do_not_clean_param |
---|---|
foo | [:foo] or :foo |
foo[bar] | [:foo, :bar] |
foo[bar][] | [:foo, :bar] |
You can specify multiple parameters in one line:
do_not_clean_param :foo, :bar, [:nested, :baz]