# Scrub Params :lock: Safer Rails parameters by default JavaScript and HTML have no business in most parameters. Take the **whitelist approach** and remove them by default. **Note:** Rails does amazing work to prevent [cross-site scripting (XSS)](http://en.wikipedia.org/wiki/Cross-site_scripting), but storing `` in your database makes it much easier to make mistakes. Works with Rails 3.2 and above ## Get Started Add this line to your application’s Gemfile: ```ruby gem 'scrub_params' ``` You now have another line of defense against XSS. ### Test It Submit HTML in one of your forms. ```html Hello ``` This becomes: ``` Hello alert('World') ``` And you should see this in your logs: ``` Scrubbed parameters: name ``` ### Original Parameters Access the original parameters with: ```ruby unscrubbed_params ``` ### Whitelist Actions To skip scrubbing for certain actions, use: ```ruby skip_before_filter :scrub_params, only: [:create, :update] ``` ## TODO - whitelist parameters - whitelist tags ## Contributing Everyone is encouraged to help improve this project. Here are a few ways you can help: - [Report bugs](https://github.com/ankane/scrub_params/issues) - Fix bugs and [submit pull requests](https://github.com/ankane/scrub_params/pulls) - Write, clarify, or fix documentation - Suggest or add new features