For a while, I have felt that the following is the correct way to improve the mass assignment problem without increasing the burden on new users. Now that the problem with the Rails default has been brought up again, it's a good time to revisit it.
When creating a form with form_for, include a signed token including all of the fields that were created at form creation time. Only these fields are allowed.
To allow new known fields to be added via JS, we could add:
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> | |
| <title>Stripe Getting Started Form</title> | |
| <script type="text/javascript" src="https://js.stripe.com/v1/"></script> | |
| <!-- jQuery is used only for this example; it isn't required to use Stripe --> | |
| <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script> | |
| <script type="text/javascript"> | |
| // this identifies your website in the createToken call below |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE | |
| Version 2, December 2004 | |
| Copyright (C) 2015 Larry Fox <http://larryfox.us> | |
| Everyone is permitted to copy and distribute verbatim or modified | |
| copies of this license document, and changing it is allowed as long | |
| as the name is changed. | |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE | |
| Version 2, December 2004 | |
| Copyright (C) 2011 YOUR_NAME_HERE <YOUR_URL_HERE> | |
| Everyone is permitted to copy and distribute verbatim or modified | |
| copies of this license document, and changing it is allowed as long | |
| as the name is changed. | |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>Ansi 0 Color</key> | |
| <dict> | |
| <key>Blue Component</key> | |
| <real>0.19370138645172119</real> | |
| <key>Green Component</key> | |
| <real>0.15575926005840302</real> |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE | |
| Version 2, December 2004 | |
| Copyright (C) 2011 Jed Schmidt <http://jed.is> | |
| Everyone is permitted to copy and distribute verbatim or modified | |
| copies of this license document, and changing it is allowed as long | |
| as the name is changed. | |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE | |
| Version 2, December 2004 | |
| Copyright (C) 2011 Jed Schmidt <http://jed.is> | |
| Everyone is permitted to copy and distribute verbatim or modified | |
| copies of this license document, and changing it is allowed as long | |
| as the name is changed. | |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE |
| $.fn = { | |
| remove: function() { | |
| return this.each(function(el) { | |
| return el.parentNode.removeChild(el); | |
| }); | |
| }, | |
| each: function(callback) { | |
| this.dom.forEach(callback); | |
| return this; | |
| }, |
| () |
| (function(){ | |
| //pistachio | |
| //fear the stachio | |
| function compile(source,opts) { | |
| source = String(source) | |
| opts = opts || {} | |
| var template_source = "" | |
| var matcher = /[{][{]([@])?([#])?([/])?([a-zA-Z_$]\w*|[.])([\[](-?\d+)?(..(-?\d+)?)?[\]])?[}][}]/g | |
| var index = 0 |