Sanitize user profile input
This commit is contained in:
Dmitriy Zaporozhets
parent
db8baf2895
commit
5e69ad2cea
1 changed files with 16 additions and 1 deletions
|
|
@ -1,4 +1,6 @@
|
|||
class ProfilesController < ApplicationController
|
||||
include ActionView::Helpers::SanitizeHelper
|
||||
|
||||
before_filter :user
|
||||
layout 'profile'
|
||||
|
||||
|
|
@ -12,7 +14,7 @@ class ProfilesController < ApplicationController
|
|||
end
|
||||
|
||||
def update
|
||||
if @user.update_attributes(params[:user])
|
||||
if @user.update_attributes(user_attributes)
|
||||
flash[:notice] = "Profile was successfully updated"
|
||||
else
|
||||
flash[:alert] = "Failed to update profile"
|
||||
|
|
@ -65,4 +67,17 @@ class ProfilesController < ApplicationController
|
|||
def user
|
||||
@user = current_user
|
||||
end
|
||||
|
||||
def user_attributes
|
||||
user_attributes = params[:user]
|
||||
|
||||
# Sanitize user input because we dont have strict
|
||||
# validation for this fields
|
||||
%w(name skype linkedin twitter bio).each do |attr|
|
||||
value = user_attributes[attr]
|
||||
user_attributes[attr] = sanitize(value) if value.present?
|
||||
end
|
||||
|
||||
user_attributes
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in a new issue