mauricio / params_sanitizer

Branches (2)
- e47ec671b835b048b0d3e5601565161d67ec246f
- master ✓
Tags (0)

A dead simple plugin that sanitizes user provided data when it's sent to your server instead of doing it when you're showing the data — Read more

This URL has Read+Write access

Adding installation notice to readme

mauricio (author)

Sun Nov 08 18:33:14 -0800 2009

commit e47ec671b835b048b0d3e5601565161d67ec246f
tree 1b64534290f4f3cc7155dbd5229e3a470846afd0
parent 4d4375b3851c40df91d09e8053839dd182643161

params_sanitizer /

	name	age	history message
	.gitignore		Loading commit data...
	LICENSE
	README
	init.rb
	lib/

README

== params_sanitizer

Have you ever found yourself using the "h" view helper all around your views
in your applications? Have you ever thought that cleaning up user input in views
is a tedious, error prone and cumbersome job?

You're not alone.

Think with me, the user provides information *once* to your application, that information
could be badly formatted, could be an XSS attack, but you store it as the user provided
in your database. When you're going to show that information, something that could happen
once or a hundred of times (you probably would like to have thousands of page views, woudn't you?)
you finally clean it up, instead of cleaning it up just once when the user provided it.

Insane, heh?

What about stopping with this insanety and cleaning the data once and for all?

Don't worry, you don't have to do anything, it's already done and sorted out for you with this
dead simple plugin. The params_sanitizer plugin uses Rails own sanitizers to clean the user
input when it's first provided on form POSTs and PUTs (what? do you alter your
application/database state with GET calls? OMFG!). You can protect all calls to all
controllers, protect all actions in a single controller and even protect specific actions in
a single controller, it's your call!

Here are the examples:

* stripping tags from all params in all actions (remember, only POST or PUT actions will really be changed)
  - strip_tags uses rails full_sanitizer

  class ApplicationController < ActionController::Base
    strip_tags_from_params
  end

* stripping tags from all params for all actions in a single controller

  class NewsStoriesController < ApplicationController
    strip_tags_from_params
  end

* stripping tags from all params for specific actions in a single controller

  class CommentsController < ApplicationController
    strip_tags_from_params :only => [ :create, :update ]
  end

* if instead of stripping all tags, you'd just like to use the simple sanitizer
  (it removes bad tags like <script> but would leave others intact, uses rails white_list_sanitizer)

  class ApplicationController < ActionController::Base
    sanitize_params
  end

  class NewsStoriesController < ApplicationController
    sanitize_params
  end

  class CommentsController < ApplicationController
    sanitize_params :only => [ :create, :update ]
  end

This plugin depends only on Rails default sanitizers, so you don't need to install
anything else to have it working.

== Installing the plugin:

ruby script/plugin install git://github.com/mauricio/params_sanitizer.git

mauricio / params_sanitizer

Pledgie Donations