Sanitize params hash?

Rails has always had ways to sanitize the display of data and since 2.x there is even white-listing included. However, I think most of the time it gets the wrong end of things when user-provided data is sanitized on display. The unsanitary parts shouldn't have been allowed in from the start.

The right point, in my opinion, is in (or before) a controller's #create and #update actions; not in the model, as I might want to allow the backend to insert data that a user couldn't.

Before I whip up my own solution, I've looked for plugins doing this, but didn't find any. Is there already relevant code floating around?

Michael

This is crap! Someone who deliberately inserts malicious code into data does not deserve to see his data saved in the correct way.

Sanitization must happen before data gets saved into the DB. Maybe someday you will forget to escape a field, and BOOOM it blows all over you.