Sanitize user profile input

1 files changed, 16 insertions, 1 deletions

diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index 051a6664519..6fa114a4194 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -1,4 +1,6 @@
 class ProfilesController < ApplicationController
+  include ActionView::Helpers::SanitizeHelper
+
   before_filter :user
   layout 'profile'
 
@@ -12,7 +14,7 @@ class ProfilesController < ApplicationController
   end
 
   def update
-    if @user.update_attributes(params[:user])
+    if @user.update_attributes(user_attributes)
       flash[:notice] = "Profile was successfully updated"
     else
       flash[:alert] = "Failed to update profile"
@@ -65,4 +67,17 @@ class ProfilesController < ApplicationController
   def user
     @user = current_user
   end
+
+  def user_attributes
+    user_attributes = params[:user]
+
+    # Sanitize user input because we dont have strict
+    # validation for this fields
+    %w(name skype linkedin twitter bio).each do |attr|
+      value = user_attributes[attr]
+      user_attributes[attr] = sanitize(value) if value.present?
+    end
+
+    user_attributes
+  end
 end