Strips angle brackets from user input on the way into the application,
providing an extra level of security against XSS attacks even when
someone forgets an h() in a template.
This is not a replacement for proper escaping!
Password fields (anything matching /password/) are not stripped. For one
thing, users should be allowed to make strong passwords; for another, you’re
never going to display them in the application. Right?
For fields where you want to allow angle brackets, you can disable it on a parameter-by-parameter basis:
class SomeController < ApplicationController
do_not_clean_param [:thing, :html_description]
end
The array corresponds to the hash keys used to get to the parameter; there is no distinction between string parameters and array parameters.
Form parameter | do_not_clean_param
----------------+--------------------
foo | [:foo] or :foo
foo[bar] | [:foo, :bar]
foo[bar][] | [:foo, :bar]
You can specify multiple parameters in one line:
do_not_clean_param :foo, :bar, [:nested, :baz]