Whitelist instead of blacklist on filter_parameters

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Whitelist instead of blacklist on filter_parameters

Bruno Facca
Is there any reason why config.filter_parameters uses a blacklist approach? Why not convert it into a whitelist?

Whitelisting tends to be safer than blacklisting as developers may forget to blacklist parameters containing sensitive data.

Kind Regards,
Bruno Facca

You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.