Skip to content
This repository has been archived by the owner. It is now read-only.
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
lib
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Scrub Params

🔒 Safer Rails parameters by default

JavaScript and HTML have no business in most parameters. Take the whitelist approach and remove them by default.

Note: Rails does amazing work to prevent cross-site scripting (XSS), but storing <script>badThings()</script> in your database makes it much easier to make mistakes.

Works with Rails 3.2 and above

Get Started

Add this line to your application’s Gemfile:

gem 'scrub_params'

You now have another line of defense against XSS.

Test It

Submit HTML in one of your forms.

Hello <script>alert('World')</script>

This becomes:

Hello alert('World')

And you should see this in your logs:

Scrubbed parameters: name

Original Parameters

Access the original parameters with:

unscrubbed_params

Whitelist Actions

To skip scrubbing for certain actions, use:

skip_before_filter :scrub_params, only: [:create, :update]

TODO

  • whitelist parameters
  • whitelist tags

Contributing

Everyone is encouraged to help improve this project. Here are a few ways you can help:

About

Safer Rails parameters by default

Resources

License

Packages

No packages published

Languages