Answer the question
In order to leave comments, you need to log in
K
K
kodenji2015-09-13 17:48:14
kodenji, 2015-09-13 17:48:14
Is the Devise gem ( devise_parameter_sanitizer ) not working or am I missing something?
Hello everyone, in the controller the following lines:
before_filter :configure_permitted_parameters, :only => [:create]
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:email, :password,:password_confirmation, :company) }
devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:email, :password, :password_confirmation, :current_password, :company) }
endAll is well, it works. But let's say if you enter some constructions in the Company field : different html tags, some garbage script, it writes to the database in this form, shouldn't it sanitize the fields, cut off all the tags, etc., or in this way it is impossible attacks to do, explain to a newbie.
1 answer(s)
@kodenji
V
vsuhachev, 2015-09-13 @kodenji
No, you shouldn't. It only cuts off all unspecified parameters. And about tags - in rails, all strings are safe by default, they are automatically escaped before being returned, unless you explicitly specify the opposite. Those. In your case, you can leave everything as it is now.
Similar questions
E
V
P
V
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question