Sanitize params hash?

Rails has always had ways to sanitize the display of data and since 2.x
there is even white-listing included. However, I think most of the time
it gets the wrong end of things when user-provided data is sanitized on
display. The unsanitary parts shouldn't have been allowed in from the

The right point, in my opinion, is in (or before) a controller's #create
and #update actions; not in the model, as I might want to allow the
backend to insert data that a user couldn't.

Before I whip up my own solution, I've looked for plugins doing this,
but didn't find any. Is there already relevant code floating around?


This is crap! Someone who deliberately inserts malicious code into data
does not deserve to see his data saved in the correct way.

Sanitization must happen before data gets saved into the DB. Maybe
someday you will forget to escape a field, and BOOOM it blows all over