On Aug 10, 4:47 pm, Gudleik Rasch <gudl...@gmail.com> wrote:
> Could be a bug or even someone trying to inject malicious javascript
> code into your app.
> Either case its a good practice to have these kind of scenarios
> covered by tests.
>
How? It's not really feasible to strip attrs that don't belong from
the params... I'd have to query the targeted model for its list of
valid params and then reject non-matches. The idiom is to trustingly
throw the whole hash at the model - "User.create params[:user]".
This error doesn't seem to be so much a security risk as just
perplexing. Happened again on another action today... random field,
"unknown attribute: description<script type". Safari only again.
> You should also make sure that some fields are protected from mass-assignment.
> In your hash you have is_admin => 0. If you have in your controller:
> User.create params[:user]
> # or
> @user.update_attributes params[:user]
>
Thanks, this has already been done.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
No comments:
Post a Comment