Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Don't escape parameters by default in included rack-protection (issue #310) #361

merged 1 commit into from

6 participants


Don't escape parameters by default in included rack-protection.

As @rkh claims in issue #310.

@rkh rkh merged commit 9c4ac4c into sinatra:master



Thanks for the quick fix.


Small gotcha, if you define your own protection exclusions make sure you also include the one applied in the fix as your options hash overwrites the one in the fix.
set :protection, :except => [:frame_options, :escaped_params] #include escaped_params


Woooooow, thank you @gordonk, that was exactly what was biting us in the butt.

I'm afraid this ambiguity will bite anyone who tries to set :protection, :except

The basic flow is this:
"Hmm, something weird is happening.
Oh, I see sinatra tries to save me from myself. Stop that please. (setting a specific :protection, :except)
Nice, that looks like it fixed it.
Wait, why are other things breaking now?
(swear, curse, google, find this page)

IMO, If I need to change one thing, that :except should affect only the parameter I'm specifically setting, not overwrite all the defaults.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 22, 2011
  1. @jacobo
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  lib/sinatra/base.rb
2  lib/sinatra/base.rb
@@ -1361,7 +1361,7 @@ def setup_logging(builder)
def setup_protection(builder)
return unless protection?
- options = Hash === protection ? protection.dup : {}
+ options = Hash === protection ? protection.dup : {:except => [:escaped_params]}
options[:except] = Array options[:except]
options[:except] += [:session_hijacking, :remote_token] unless sessions?
builder.use Rack::Protection, options
Something went wrong with that request. Please try again.