/parameter_cleaner

Strip angle brackets from Rails parameters at input, providing an extra level of security against XSS vulnerabilities.

Primary LanguageRubyMIT LicenseMIT

ParameterCleaner

Strips angle brackets from user input on the way into the application, providing an extra level of security against XSS attacks even when someone forgets an h() in a template.

This is not a replacement for proper escaping!

Exclusions

Password fields (anything matching /password/) are not stripped. For one thing, users should be allowed to make strong passwords; for another, you’re never going to display them in the application. Right?

For fields where you want to allow angle brackets, you can disable it on a parameter-by-parameter basis:

class SomeController < ApplicationController
  do_not_clean_param [:thing, :html_description]
end

The array corresponds to the hash keys used to get to the parameter; there is no distinction between string parameters and array parameters.

Form parameter  |  do_not_clean_param
----------------+--------------------
foo             |  [:foo] or :foo
foo[bar]        |  [:foo, :bar]
foo[bar][]      |  [:foo, :bar]

You can specify multiple parameters in one line:

do_not_clean_param :foo, :bar, [:nested, :baz]