Why slicing the params hash poses a security issue on mass-assignment?

Question

The official way of preventing security risks with mass-assignment is using attr_accessible. However, some programmers feel this is not a job for the model (or at least not

Answer 1

@tokland your last comment is not correct to some extend. Unless your website has the browser as the only entry point where data comes in and goes out.

If your webapp has an API or communicates with other API's protection on the controller level leaves holes behind it and all data from other sources is not sanitised or checked. I recommend keeping the things as they are, turning on mass-assignment protection in application.rb and advancing ActiveSupport FormHelpers to work like Django/Python style.