Whitelist instead of blacklist on filter_parameters

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Whitelist instead of blacklist on filter_parameters

Bruno Facca
Is there any reason why config.filter_parameters uses a blacklist approach? Why not convert it into a whitelist?

Whitelisting tends to be safer than blacklisting as developers may forget to blacklist parameters containing sensitive data.

Kind Regards,
Bruno Facca

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.