Sanitize user attrs on model level

2 files changed, 11 insertions, 14 deletions

diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index 686edd8af80..6fa635d0e36 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -17,7 +17,7 @@ class ProfilesController < ApplicationController
   end
 
   def update
-    if @user.update_attributes(user_attributes)
+    if @user.update_attributes(params[:user])
       flash[:notice] = "Profile was successfully updated"
     else
       flash[:alert] = "Failed to update profile"
@@ -69,19 +69,6 @@ class ProfilesController < ApplicationController
     @user = current_user
   end
 
-  def user_attributes
-    user_attributes = params[:user]
-
-    # Sanitize user input because we dont have strict
-    # validation for this fields
-    %w(name skype linkedin twitter bio).each do |attr|
-      value = user_attributes[attr]
-      user_attributes[attr] = sanitize(strip_tags(value)) if value.present?
-    end
-
-    user_attributes
-  end
-
   def authorize_change_password!
     return render_404 if @user.ldap_user?
   end
diff --git a/app/models/user.rb b/app/models/user.rb
index 6de8d2d4c39..ddbdec8acfc 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -116,7 +116,10 @@ class User < ActiveRecord::Base
   validate :namespace_uniq, if: ->(user) { user.username_changed? }
 
   before_validation :generate_password, on: :create
+  before_validation :sanitize_attrs
+
   before_save :ensure_authentication_token
+
   alias_attribute :private_token, :authentication_token
 
   delegate :path, to: :namespace, allow_nil: true, prefix: true
@@ -371,4 +374,11 @@ class User < ActiveRecord::Base
   def created_by
     User.find_by_id(created_by_id) if created_by_id
   end
+
+  def sanitize_attrs
+    %w(name username skype linkedin twitter bio).each do |attr|
+      value = self.send(attr)
+      self.send("#{attr}=", Sanitize.clean(value)) if value.present?
+    end
+  end
 end