Commit 5e69ad2ceae8d3619775695b7fcab62a7a32377a
1 parent
db8baf28
Exists in
master
and in
4 other branches
Sanitize user profile input
Showing
1 changed file
with
16 additions
and
1 deletions
Show diff stats
app/controllers/profiles_controller.rb
| 1 | 1 | class ProfilesController < ApplicationController |
| 2 | + include ActionView::Helpers::SanitizeHelper | |
| 3 | + | |
| 2 | 4 | before_filter :user |
| 3 | 5 | layout 'profile' |
| 4 | 6 | |
| ... | ... | @@ -12,7 +14,7 @@ class ProfilesController < ApplicationController |
| 12 | 14 | end |
| 13 | 15 | |
| 14 | 16 | def update |
| 15 | - if @user.update_attributes(params[:user]) | |
| 17 | + if @user.update_attributes(user_attributes) | |
| 16 | 18 | flash[:notice] = "Profile was successfully updated" |
| 17 | 19 | else |
| 18 | 20 | flash[:alert] = "Failed to update profile" |
| ... | ... | @@ -65,4 +67,17 @@ class ProfilesController < ApplicationController |
| 65 | 67 | def user |
| 66 | 68 | @user = current_user |
| 67 | 69 | end |
| 70 | + | |
| 71 | + def user_attributes | |
| 72 | + user_attributes = params[:user] | |
| 73 | + | |
| 74 | + # Sanitize user input because we dont have strict | |
| 75 | + # validation for this fields | |
| 76 | + %w(name skype linkedin twitter bio).each do |attr| | |
| 77 | + value = user_attributes[attr] | |
| 78 | + user_attributes[attr] = sanitize(value) if value.present? | |
| 79 | + end | |
| 80 | + | |
| 81 | + user_attributes | |
| 82 | + end | |
| 68 | 83 | end | ... | ... |