Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Strip angle brackets from Rails parameters at input, providing an extra level of security against XSS vulnerabilities.
Ruby
Branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
lib
test
MIT-LICENSE
README.md
Rakefile
init.rb

README.md

ParameterCleaner

Strips angle brackets from user input on the way into the application, providing an extra level of security against XSS attacks even when someone forgets an h() in a template.

This is not a replacement for proper escaping!

Exclusions

Password fields (anything matching /password/) are not stripped. For one thing, users should be allowed to make strong passwords; for another, you’re never going to display them in the application. Right?

For fields where you want to allow angle brackets, you can disable it on a parameter-by-parameter basis:

class SomeController < ApplicationController
  do_not_clean_param [:thing, :html_description]
end

The array corresponds to the hash keys used to get to the parameter; there is no distinction between string parameters and array parameters.

Form parameter  |  do_not_clean_param
----------------+--------------------
foo             |  [:foo] or :foo
foo[bar]        |  [:foo, :bar]
foo[bar][]      |  [:foo, :bar]

You can specify multiple parameters in one line:

do_not_clean_param :foo, :bar, [:nested, :baz]
Something went wrong with that request. Please try again.