Sanitize params hash?

Michael_Schuerig1 · May 2, 2008, 12:37pm

Rails has always had ways to sanitize the display of data and since 2.x there is even white-listing included. However, I think most of the time it gets the wrong end of things when user-provided data is sanitized on display. The unsanitary parts shouldn't have been allowed in from the start.

The right point, in my opinion, is in (or before) a controller's #create and #update actions; not in the model, as I might want to allow the backend to insert data that a user couldn't.

Before I whip up my own solution, I've looked for plugins doing this, but didn't find any. Is there already relevant code floating around?

Michael

11175 · September 16, 2008, 9:11pm

This is crap! Someone who deliberately inserts malicious code into data does not deserve to see his data saved in the correct way.

Sanitization must happen before data gets saved into the DB. Maybe someday you will forget to escape a field, and BOOOM it blows all over you.

Topic		Replies	Views
Sanitize IN Controller rubyonrails-talk	2	105	September 18, 2007
How to sanitize _before_ going into the database? rubyonrails-talk	4	228	February 1, 2008
Sanitize my params and the create method rubyonrails-talk	0	87	August 22, 2007
Sanitizing HTML in a model? rubyonrails-talk	0	144	October 16, 2007
Storing URL in database -- h() or sanitize() ? rubyonrails-talk	2	95	February 15, 2008

Sanitize params hash?

Related topics

More Resources