đź”’ Safer Rails parameters by default
JavaScript and HTML have no business in most parameters. Take the whitelist approach and remove them by default.
Note: Rails does amazing work to prevent cross-site scripting (XSS), but storing <script>badThings()</script> in your database makes it much easier to make mistakes.
Works with Rails 3.2 and above
Add this line to your application’s Gemfile:
gem 'scrub_params'You now have another line of defense against XSS.
Submit HTML in one of your forms.
Hello <script>alert('World')</script>This becomes:
Hello alert('World')
And you should see this in your logs:
Scrubbed parameters: name
Access the original parameters with:
unscrubbed_paramsTo skip scrubbing for certain actions, use:
skip_before_filter :scrub_params, only: [:create, :update]- whitelist parameters
- whitelist tags
Everyone is encouraged to help improve this project. Here are a few ways you can help:
- Report bugs
- Fix bugs and submit pull requests
- Write, clarify, or fix documentation
- Suggest or add new features