Don't escape parameters by default in included rack-protection (issue #310) #361

merged 1 commit into from Sep 22, 2011


None yet

6 participants


Don't escape parameters by default in included rack-protection.

As @rkh claims in issue #310.

@rkh rkh merged commit 9c4ac4c into sinatra:master Sep 22, 2011
Sinatra member



Thanks for the quick fix.


Small gotcha, if you define your own protection exclusions make sure you also include the one applied in the fix as your options hash overwrites the one in the fix.
set :protection, :except => [:frame_options, :escaped_params] #include escaped_params


Woooooow, thank you @gordonk, that was exactly what was biting us in the butt.

I'm afraid this ambiguity will bite anyone who tries to set :protection, :except

The basic flow is this:
"Hmm, something weird is happening.
Oh, I see sinatra tries to save me from myself. Stop that please. (setting a specific :protection, :except)
Nice, that looks like it fixed it.
Wait, why are other things breaking now?
(swear, curse, google, find this page)

IMO, If I need to change one thing, that :except should affect only the parameter I'm specifically setting, not overwrite all the defaults.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment