Safer Rails parameters by default
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib
test
.gitignore
Gemfile
LICENSE.txt
README.md
Rakefile
scrub_params.gemspec

README.md

Scrub Params

🔒 Safer Rails parameters by default

JavaScript and HTML have no business in most parameters. Take the whitelist approach and remove them by default.

Note: Rails does amazing work to prevent cross-site scripting (XSS), but storing <script>badThings()</script> in your database makes it much easier to make mistakes.

Works with Rails 3.2 and above

Get Started

Add this line to your application’s Gemfile:

gem 'scrub_params'

You now have another line of defense against XSS.

Test It

Submit HTML in one of your forms.

Hello <script>alert('World')</script>

This becomes:

Hello alert('World')

And you should see this in your logs:

Scrubbed parameters: name

Original Parameters

Access the original parameters with:

unscrubbed_params

Whitelist Actions

To skip scrubbing for certain actions, use:

skip_before_filter :scrub_params, only: [:create, :update]

TODO

  • whitelist parameters
  • whitelist tags

Contributing

Everyone is encouraged to help improve this project. Here are a few ways you can help: