deac/gitlabhq
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Sanitize user profile input

Browse source
This commit is contained in:
Dmitriy Zaporozhets 2013-02-25 22:51:15 +02:00
parent db8baf2895
commit 5e69ad2cea
1 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
app/controllers/profiles_controller.rb
View file

@ -1,4 +1,6 @@
class ProfilesController < ApplicationController class ProfilesController < ApplicationController
include ActionView::Helpers::SanitizeHelper
before_filter :user before_filter :user
layout 'profile' layout 'profile'
@ -12,7 +14,7 @@ class ProfilesController < ApplicationController
end end
def update def update
if @user.update_attributes(params[:user]) if @user.update_attributes(user_attributes)
flash[:notice] = "Profile was successfully updated" flash[:notice] = "Profile was successfully updated"
else else
flash[:alert] = "Failed to update profile" flash[:alert] = "Failed to update profile"
@ -65,4 +67,17 @@ class ProfilesController < ApplicationController
def user def user
@user = current_user @user = current_user
end end
def user_attributes
user_attributes = params[:user]
# Sanitize user input because we dont have strict
# validation for this fields
%w(name skype linkedin twitter bio).each do |attr|
value = user_attributes[attr]
user_attributes[attr] = sanitize(value) if value.present?
end
user_attributes
end
end end