Sanitize user profile input

5e69ad2c · Dmitriy Zaporozhets · db8baf28 · 5e69ad2c
Commit 5e69ad2c authored 12 years ago by Dmitriy Zaporozhets
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
 class ProfilesController < ApplicationController
+  include ActionView::Helpers::SanitizeHelper
+
  before_filter :user
  layout 'profile'
  
@@ -12,7 +14,7 @@ class ProfilesController < ApplicationController
  end
  
  def update
-    if @user.update_attributes(params[:user])
+    if @user.update_attributes(user_attributes)
      flash[:notice] = "Profile was successfully updated"
    else
      flash[:alert] = "Failed to update profile"
@@ -65,4 +67,17 @@ class ProfilesController < ApplicationController
  def user
    @user = current_user
  end
+
+  def user_attributes
+    user_attributes = params[:user]
+
+    # Sanitize user input because we dont have strict
+    # validation for this fields
+    %w(name skype linkedin twitter bio).each do |attr|
+      value = user_attributes[attr]
+      user_attributes[attr] = sanitize(value) if value.present?
+    end
+
+    user_attributes
+  end
 end