Commit 5e69ad2c authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Sanitize user profile input

parent db8baf28
class ProfilesController < ApplicationController class ProfilesController < ApplicationController
include ActionView::Helpers::SanitizeHelper
before_filter :user before_filter :user
layout 'profile' layout 'profile'
...@@ -12,7 +14,7 @@ class ProfilesController < ApplicationController ...@@ -12,7 +14,7 @@ class ProfilesController < ApplicationController
end end
def update def update
if @user.update_attributes(params[:user]) if @user.update_attributes(user_attributes)
flash[:notice] = "Profile was successfully updated" flash[:notice] = "Profile was successfully updated"
else else
flash[:alert] = "Failed to update profile" flash[:alert] = "Failed to update profile"
...@@ -65,4 +67,17 @@ class ProfilesController < ApplicationController ...@@ -65,4 +67,17 @@ class ProfilesController < ApplicationController
def user def user
@user = current_user @user = current_user
end end
def user_attributes
user_attributes = params[:user]
# Sanitize user input because we dont have strict
# validation for this fields
%w(name skype linkedin twitter bio).each do |attr|
value = user_attributes[attr]
user_attributes[attr] = sanitize(value) if value.present?
end
user_attributes
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment