Note: Rails does amazing work to prevent cross-site scripting (XSS), but storing
<script>badThings()</script> in your database makes it much easier to make mistakes.
Works with Rails 3.2 and above
Add this line to your application’s Gemfile:
You now have another line of defense against XSS.
Submit HTML in one of your forms.
And you should see this in your logs:
Scrubbed parameters: name
Access the original parameters with:
To skip scrubbing for certain actions, use:
skip_before_filter :scrub_params, only: [:create, :update]
- whitelist parameters
- whitelist tags
Everyone is encouraged to help improve this project. Here are a few ways you can help: