Imagine you have a user model with a user name and several other attributes. A user will only be able to set a username while singing up, not later when editing his profile.
Still, the :user_name attribute needs to accessible through attr_accessible in the user model for the registration form.
This makes me wonder whether a malicious user could change the form that allows him to edit his profile, and change an input name to user_name and thereby in fact change it upon submit.
Am I right about this, i.e. could a malicious user do that or will Ruby find out somehow that the form was altered? If this is a security issue, how can I always reset the user name in my update method? Is there a rails way of differentiating between accessible and accessible but non-editable attributes?
No, it’s not possible due to Rails’ CSRF counter measures. See this guide.
You should have the following line in your application controller:
Also have a look at the following article for further information on XSS, which describes in some detail what is possible and counter-measures to take.
Always
sanitize()input.