If, in your view, you are expecting params[:name] to be a string, but actually rails has parsed it into {"."=>"1234"} (or something more malicious), then currently <%= sanitize(params[:name]) %> blows up because the hash does not respond the expected methods from the sanitize call.
I could put in code to check that the params values I am sanitizing are strings, but it seems like it would be better for sanitize to handle that, and perhaps just return the empty string if the processing of the input raises an exception. --Paul -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/71ca60c3-40da-49a0-805b-648bab2b8d0b%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.