From 5e69ad2ceae8d3619775695b7fcab62a7a32377a Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Mon, 25 Feb 2013 22:51:15 +0200
Subject: [PATCH] Sanitize user profile input

---
 app/controllers/profiles_controller.rb | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index 051a6664519..6fa114a4194 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -1,4 +1,6 @@
 class ProfilesController < ApplicationController
+  include ActionView::Helpers::SanitizeHelper
+
   before_filter :user
   layout 'profile'
 
@@ -12,7 +14,7 @@ class ProfilesController < ApplicationController
   end
 
   def update
-    if @user.update_attributes(params[:user])
+    if @user.update_attributes(user_attributes)
       flash[:notice] = "Profile was successfully updated"
     else
       flash[:alert] = "Failed to update profile"
@@ -65,4 +67,17 @@ class ProfilesController < ApplicationController
   def user
     @user = current_user
   end
+
+  def user_attributes
+    user_attributes = params[:user]
+
+    # Sanitize user input because we dont have strict
+    # validation for this fields
+    %w(name skype linkedin twitter bio).each do |attr|
+      value = user_attributes[attr]
+      user_attributes[attr] = sanitize(value) if value.present?
+    end
+
+    user_attributes
+  end
 end
-- 
GitLab