ActiveRecord::UnknownAttributeError: unknown attribute: <script type

Has anyone seen this happening to their apps?

I'm starting to get errors like this come across from one of my apps:

  ActiveRecord::UnknownAttributeError: unknown attribute: <script type

The parameters being sent are:

{"user"=>
  {"email_confirmation"=>"someone@example.com",
   "wants_new_message_notifications"=>"1",
   "is_admin"=>"0",
   "<script type"=>"=MyLastName",
   "first_name"=>"MyFirstName",
   "email"=>"someone@example.com"},
"account_id"=>"1",
"action"=>"create",
"controller"=>"users",
"_"=>""}

Obviously it throws this error since my user model doesn't have a
property named "<script type".

So far it looks like it's coming from Safari only, both Windows and
Mac.

I'm wondering what could be renaming the form field names on the
client side to cause this? I have verified that the rendered HTML is
correct.

How? Using the W3C validator?

I'd bet on a mis-matched/imbalanced quotes and/or tags somewhere
close to that input field.

Unless you have some JavaScript doing some funny innerHTML
insertions; but easy enough to turn off JS and see if the error recurs.

FWIW,

Could be a bug or even someone trying to inject malicious javascript
code into your app.
Either case its a good practice to have these kind of scenarios
covered by tests.

You should also make sure that some fields are protected from mass-assignment.
In your hash you have is_admin => 0. If you have in your controller:
  User.create params[:user]
  # or
  @user.update_attributes params[:user]

Then anybody can create an admin user by posting is_admin=1, unless
you protect it in your model like this:

class User < ActiveRecord::Base
  attr_protected :is_admin
  # or
  attr_accessible :name, :email, :username
end

Railscasts.com has some screencasts on this topic: http://railscasts.com/tags/5

Could be a bug or even someone trying to inject malicious javascript
code into your app.
Either case its a good practice to have these kind of scenarios
covered by tests.

How? It's not really feasible to strip attrs that don't belong from
the params... I'd have to query the targeted model for its list of
valid params and then reject non-matches. The idiom is to trustingly
throw the whole hash at the model - "User.create params[:user]".

This error doesn't seem to be so much a security risk as just
perplexing. Happened again on another action today... random field,
"unknown attribute: description<script type". Safari only again.

You should also make sure that some fields are protected from mass-assignment.
In your hash you have is_admin => 0. If you have in your controller:
User.create params[:user]
# or
@user.update_attributes params[:user]

Thanks, this has already been done.