Download as
Browse Code »

Commit 5e69ad2ceae8d3619775695b7fcab62a7a32377a

Authored by Dmitriy Zaporozhets
1 parent db8baf28
Exists in master and in 4 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb, spb-stable

Sanitize user profile input

Showing 1 changed file with 16 additions and 1 deletions   Show diff stats
app/controllers/profiles_controller.rb
  Diff comments   View file @5e69ad2
1 class ProfilesController < ApplicationController 1 class ProfilesController < ApplicationController
  2 + include ActionView::Helpers::SanitizeHelper
  3 +
2 before_filter :user 4 before_filter :user
3 layout 'profile' 5 layout 'profile'
4 6
@@ -12,7 +14,7 @@ class ProfilesController &lt; ApplicationController @@ -12,7 +14,7 @@ class ProfilesController &lt; ApplicationController
12 end 14 end
13 15
14 def update 16 def update
15 - if @user.update_attributes(params[:user]) 17 + if @user.update_attributes(user_attributes)
16 flash[:notice] = "Profile was successfully updated" 18 flash[:notice] = "Profile was successfully updated"
17 else 19 else
18 flash[:alert] = "Failed to update profile" 20 flash[:alert] = "Failed to update profile"
@@ -65,4 +67,17 @@ class ProfilesController &lt; ApplicationController @@ -65,4 +67,17 @@ class ProfilesController &lt; ApplicationController
65 def user 67 def user
66 @user = current_user 68 @user = current_user
67 end 69 end
  70 +
  71 + def user_attributes
  72 + user_attributes = params[:user]
  73 +
  74 + # Sanitize user input because we dont have strict
  75 + # validation for this fields
  76 + %w(name skype linkedin twitter bio).each do |attr|
  77 + value = user_attributes[attr]
  78 + user_attributes[attr] = sanitize(value) if value.present?
  79 + end
  80 +
  81 + user_attributes
  82 + end
68 end 83 end