Sanitize user attrs on model level

Dmitriy Zaporozhets
1 parent 3dcc4419
Showing 4 changed files with 15 additions and 14 deletions Show diff stats
Gemfile
Gemfile.lock
app/controllers/profiles_controller.rb
app/models/user.rb
@@ -118,6 +118,9 @@ gem &quot;d3_rails&quot;, &quot;~&gt; 3.1.4&quot;
 # underscore-rails
 gem "underscore-rails", "~> 1.4.4"
  
+# Sanitize user input
+gem "sanitize"
+
 group :assets do
   gem "sass-rails"
   gem "coffee-rails"
@@ -610,6 +610,7 @@ DEPENDENCIES
   redcarpet (~> 2.2.2)
   redis-rails
   rspec-rails
+  sanitize
   sass-rails
   sdoc
   seed-fu
@@ -17,7 +17,7 @@ class ProfilesController &lt; ApplicationController
   end
  
   def update
-    if @user.update_attributes(user_attributes)
+    if @user.update_attributes(params[:user])
       flash[:notice] = "Profile was successfully updated"
     else
       flash[:alert] = "Failed to update profile"
@@ -69,19 +69,6 @@ class ProfilesController &lt; ApplicationController
     @user = current_user
   end
  
-  def user_attributes
-    user_attributes = params[:user]
-
-    # Sanitize user input because we dont have strict
-    # validation for this fields
-    %w(name skype linkedin twitter bio).each do |attr|
-      value = user_attributes[attr]
-      user_attributes[attr] = sanitize(strip_tags(value)) if value.present?
-    end
-
-    user_attributes
-  end
-
   def authorize_change_password!
     return render_404 if @user.ldap_user?
   end
@@ -114,7 +114,10 @@ class User &lt; ActiveRecord::Base
   validate :namespace_uniq, if: ->(user) { user.username_changed? }
  
   before_validation :generate_password, on: :create
+  before_validation :sanitize_attrs
+
   before_save :ensure_authentication_token
+
   alias_attribute :private_token, :authentication_token
  
   delegate :path, to: :namespace, allow_nil: true, prefix: true
@@ -356,4 +359,11 @@ class User &lt; ActiveRecord::Base
   def created_by
     User.find_by_id(created_by_id) if created_by_id
   end
+
+  def sanitize_attrs
+    %w(name username skype linkedin twitter bio).each do |attr|
+      value = self.send(attr)
+      self.send("#{attr}=", Sanitize.clean(value)) if value.present?
+    end
+  end
 end
...	...	@@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4"
118	118	# underscore-rails
119	119	gem "underscore-rails", "~> 1.4.4"
120	120
	121	+# Sanitize user input
	122	+gem "sanitize"
	123	+
121	124	group :assets do
122	125	gem "sass-rails"
123	126	gem "coffee-rails"
...	...
...	...	@@ -610,6 +610,7 @@ DEPENDENCIES
610	610	redcarpet (~> 2.2.2)
611	611	redis-rails
612	612	rspec-rails
	613	+ sanitize
613	614	sass-rails
614	615	sdoc
615	616	seed-fu
...	...
...	...	@@ -17,7 +17,7 @@ class ProfilesController < ApplicationController
17	17	end
18	18
19	19	def update
20		- if @user.update_attributes(user_attributes)
	20	+ if @user.update_attributes(params[:user])
21	21	flash[:notice] = "Profile was successfully updated"
22	22	else
23	23	flash[:alert] = "Failed to update profile"
...	...	@@ -69,19 +69,6 @@ class ProfilesController < ApplicationController
69	69	@user = current_user
70	70	end
71	71
72		- def user_attributes
73		- user_attributes = params[:user]
74		-
75		- # Sanitize user input because we dont have strict
76		- # validation for this fields
77		- %w(name skype linkedin twitter bio).each do \|attr\|
78		- value = user_attributes[attr]
79		- user_attributes[attr] = sanitize(strip_tags(value)) if value.present?
80		- end
81		-
82		- user_attributes
83		- end
84		-
85	72	def authorize_change_password!
86	73	return render_404 if @user.ldap_user?
87	74	end
...	...
...	...	@@ -114,7 +114,10 @@ class User < ActiveRecord::Base
114	114	validate :namespace_uniq, if: ->(user) { user.username_changed? }
115	115
116	116	before_validation :generate_password, on: :create
	117	+ before_validation :sanitize_attrs
	118	+
117	119	before_save :ensure_authentication_token
	120	+
118	121	alias_attribute :private_token, :authentication_token
119	122
120	123	delegate :path, to: :namespace, allow_nil: true, prefix: true
...	...	@@ -356,4 +359,11 @@ class User < ActiveRecord::Base
356	359	def created_by
357	360	User.find_by_id(created_by_id) if created_by_id
358	361	end
	362	+
	363	+ def sanitize_attrs
	364	+ %w(name username skype linkedin twitter bio).each do \|attr\|
	365	+ value = self.send(attr)
	366	+ self.send("#{attr}=", Sanitize.clean(value)) if value.present?
	367	+ end
	368	+ end
359	369	end
...	...