Sanitize user profile input

2013-02-25 22:51:15 +02:00 · 2013-02-25 22:51:15 +02:00 · 5e69ad2cea
parent db8baf2895
commit 5e69ad2cea
1 changed files with 16 additions and 1 deletions
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@ -1,4 +1,6 @@
 class ProfilesController < ApplicationController
+  include ActionView::Helpers::SanitizeHelper
+
  before_filter :user
  layout 'profile'

@ -12,7 +14,7 @@ class ProfilesController < ApplicationController
  end

  def update
-    if @user.update_attributes(params[:user])
+    if @user.update_attributes(user_attributes)
      flash[:notice] = "Profile was successfully updated"
    else
      flash[:alert] = "Failed to update profile"
@ -65,4 +67,17 @@ class ProfilesController < ApplicationController
  def user
    @user = current_user
  end
+
+  def user_attributes
+    user_attributes = params[:user]
+
+    # Sanitize user input because we dont have strict
+    # validation for this fields
+    %w(name skype linkedin twitter bio).each do |attr|
+      value = user_attributes[attr]
+      user_attributes[attr] = sanitize(value) if value.present?
+    end
+
+    user_attributes
+  end
 end