From 5e69ad2ceae8d3619775695b7fcab62a7a32377a Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Mon, 25 Feb 2013 22:51:15 +0200 Subject: [PATCH] Sanitize user profile input --- app/controllers/profiles_controller.rb | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb index 051a6664..6fa114a4 100644 --- a/app/controllers/profiles_controller.rb +++ b/app/controllers/profiles_controller.rb @@ -1,4 +1,6 @@ class ProfilesController < ApplicationController + include ActionView::Helpers::SanitizeHelper + before_filter :user layout 'profile' @@ -12,7 +14,7 @@ class ProfilesController < ApplicationController end def update - if @user.update_attributes(params[:user]) + if @user.update_attributes(user_attributes) flash[:notice] = "Profile was successfully updated" else flash[:alert] = "Failed to update profile" @@ -65,4 +67,17 @@ class ProfilesController < ApplicationController def user @user = current_user end + + def user_attributes + user_attributes = params[:user] + + # Sanitize user input because we dont have strict + # validation for this fields + %w(name skype linkedin twitter bio).each do |attr| + value = user_attributes[attr] + user_attributes[attr] = sanitize(value) if value.present? + end + + user_attributes + end end