sanitize_params.rb 819 Bytes
Edit Raw Blame History



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34


module SanitizeParams

  protected

  # Check each request parameter for 
  # improper HTML or Script tags
  def sanitize_params
    request.params.each { |k, v|
      if v.is_a?(String)        
        params[k] = sanitize_param v
      elsif v.is_a?(Array)
        params[k] = sanitize_array v
      end
    }
  end

  # If the parameter was an array, 
  # try to sanitize each element in the array
  def sanitize_array(array)
    array.map! { |e| 
      if e.is_a?(String)
        sanitize_param e
      end
    }
    return array
  end

  # Santitize a single value
  def sanitize_param(value)
    allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
    ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
  end

end