Would anyone comment on (newly created) pull request 31874 
<https://github.com/rails/rails/pull/31874>? The change to handling of 
block elements in the params filter list enables a strategy to white-list, 
rather than black-list the params.

It *does* change behavior. I had to alter a test.


Before I do any more work on this, I want to know if it is looked upon 
favorably and would be at all likely to be merged.



On Wednesday, April 5, 2017 at 4:05:37 PM UTC-3, Bruno Facca wrote:
>
> Is there any reason why config.filter_parameters uses a blacklist 
> approach? Why not convert it into a whitelist?
>
> Whitelisting tends to be safer than blacklisting as developers may forget 
> to blacklist parameters containing sensitive data.
>
> Kind Regards,
> Bruno Facca
>

-- 
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to rubyonrails-core+unsubscr...@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.

Reply via email to