If, in your view, you are expecting params[:name] to be a string, but
actually rails has parsed it into {"."=>"1234"} (or something more
malicious), then currently
<%= sanitize(params[:name]) %> blows up because the hash does not respond
the expected methods from the sanitize call.
I could put in code to check that the params values I am sanitizing are
strings, but it seems like it would be better for sanitize to handle that,
and perhaps just return the empty string if the processing of the input
raises an exception.
--Paul
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-talk+unsubscr...@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/71ca60c3-40da-49a0-805b-648bab2b8d0b%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
