Scrub Params

:lock: Secure Rails parameters by default

Insecure by default is insecure

HTML has no business in most parameters. Take the whitelist approach and remove it by default.

Get Started

Add this line to your application’s Gemfile:

gem 'scrub_params'

You now have another line of defense against cross-site scripting (XSS).

Test It

Submit HTML in one of your forms.

Hello <script>alert('World')</script>

This becomes:

Hello alert('World')

And you should see this in your logs:

Scrubbed parameters: name

Whitelist Actions

To prevent certain actions from being scrubbed, use:

skip_before_filter :scrub_params, only: [:create, :update]

TODO

• whitelist parameters
• whitelist tags

Contributing

Everyone is encouraged to help improve this project. Here are a few ways you can help:

• Report bugs
• Fix bugs and submit pull requests
• Write, clarify, or fix documentation
• Suggest or add new features