sanitize_params.rb 1.05 KB
Edit Raw Blame History Permalink



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41


module SanitizeParams

  protected

    # Check each request parameter for 
    # improper HTML or Script tags
    def sanitize_params
      sanitize_params_hash(request.params)    
    end

    # Given a params list sanitize all
    def sanitize_params_hash(params)
      params.each { |k, v|
        if v.is_a?(String)        
          params[k] = sanitize_param v
        elsif v.is_a?(Array)
          params[k] = sanitize_array v
        elsif v.kind_of?(Hash)
          params[k] = sanitize_params_hash(v)
        end
      }    
    end

    # If the parameter was an array, 
    # try to sanitize each element in the array
    def sanitize_array(array)
      array.map! { |e| 
        if e.is_a?(String)
          sanitize_param e
        end
      }
      return array
    end

    # Santitize a single value
    def sanitize_param(value)
      allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
      ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
    end

end