Sha256: e45243d214ca024dd97111243ff457c2ac837dd1eb5c4ca784ab51c05a709f27
Contents?: true
Size: 1.13 KB
Versions: 1
Compression:
Stored size: 1.13 KB
Contents
# Scrub Params
:lock: Secure Rails parameters by default
> Insecure by default is insecure
HTML has no business in most parameters. Take the **whitelist approach** and remove it by default.
## Get Started
Add this line to your application’s Gemfile:
```ruby
gem 'scrub_params'
```
You now have another line of defense against [cross-site scripting (XSS)](http://en.wikipedia.org/wiki/Cross-site_scripting).
### Test It
Submit HTML in one of your forms.
```html
Hello <script>alert('World')</script>
```
This becomes:
```
Hello alert('World')
```
And you should see this in your logs:
```
Scrubbed parameters: name
```
### Whitelist Actions
To prevent certain actions from being scrubbed, use:
```ruby
skip_before_filter :scrub_params, only: [:create, :update]
```
## TODO
- whitelist parameters
- whitelist tags
## Contributing
Everyone is encouraged to help improve this project. Here are a few ways you can help:
- [Report bugs](https://github.com/ankane/scrub_params/issues)
- Fix bugs and [submit pull requests](https://github.com/ankane/scrub_params/pulls)
- Write, clarify, or fix documentation
- Suggest or add new features
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| scrub_params-0.0.1 | README.md |