Forum: Ruby on Rails rails form_for + address picker jquery creates odd parameter format for post

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
F333012a5ccea0988663005e52255048?d=identicon&s=25 Derek Chadwell (Guest)
on 2013-12-14 04:37
(Received via mailing list)
I am using the addresspicker jquery to get a user address.  The user
address fields and hidden fields for latitude and longitude are in
fields_for ":Locations".  In order for the jquery callback to fill in my
latitude and longitude boxes I have to use the ":name=>" tag on the
 When I do this, my form is posted with the latitude and longitude
outside the :Locations structure.  As a result, I can't use ".permit()"
them and I'm worried that I'm leaving my program vulnerable.

the data structure sent to rails via the POST:

 "Locations"=>{"location"=>"Bugs bunnies Rabbit hole, Albequerque, NM,
United States"},
 "commit"=>"Creating a user"}

The forms and corresponding javascript:

41     <div class="span5">
 42       <%= form_for @user do |f| %>
 43         <legend>Create Your Account</legend>
 44         <%= f.label :first_name %>
 45         <%= f.text_field :first_name, :placeholder => "First Name"
 47         <%= f.label :last_name %>
 48         <%= f.text_field :last_name, :placeholder => "Last Name"%>
 50         <%= f.label :email_address %>
 51         <%= f.text_field :email_address, :placeholder =>
"you@location.domain" %>
 53         <%= f.label :password %>
 54         <%= f.password_field :password, :placeholder => "Minimum six
characters" %>
 56         <%= f.label :password_confirmation, "Confirm Password" %>
 57         <%= f.password_field :password_confirmation %>
 59         <label>
 60           Where you would like to find volunteer opportunities
 61         </label>
 62         <%= fields_for :Locations do |l| %>
 63           <%= l.text_field :location, :placeholder => "e.g. 27370 or
Archdale, NC", :id => "geocomplete", :class => "ui-autocomplete-input",
 65           <%= l.text_field :latitude,  :name => "lat" %>
 66           <%= l.text_field :longitude, :name => "lng" %>
 67         <% end %>
 68         <br>
 69         <%= f.submit "Let's do it!", :class => "btn btn-large
btn-success" %>
 70       <% end %>
 72     </div>
 73     </div>
 74   </div>
 76   <script
 77   <script
 78   <script src="/assets/jquery.geocomplete.js?body=1"></script>
 79     <script>
 80       $(function(){
 81         $("#geocomplete").geocomplete({
 82           details: "form",
 83           types: ["geocode", "establishment"]
 84         });
 86       });
 87     </script>

my controller as it stands now:

  1 class UsersController < ApplicationController
  3   def create
  4     @user =[:user].permit(:first_name, :last_name,
  5                                           :password_confirmation,
  6     @user.confirmation = _random_string()
  7     @location =[:Locations].permit(:location))
  8     @location.coordinates = [params[:lng],params[:lat]]
  9     @location.distance = 50
 11     if not
 12       flash[:notice] = "user not saved"
 13       render "/static_pages/homepage"
 14       return
 15     end

The javascript is awfully long so I won't post it here, but it can be
viewed at .  I think all you
need to know about it is that it defines attributes for a found google
address and then fills in fields on a page whose names match the
names in the jquery.  Of those, I am only interested in "lat" and "lng"

My question is around the right way to do this.  Should I do something
force the "lat" and "lng" variables into the Locations hash so I can
.permit() those keys and keep my program safe?  Should I not worry about
and soldier on?  Is there something inherently wrong with my use of the
name symbols with the fields_for functionality?  A consult is very
24f49d448968ea24c8630c31fae12758?d=identicon&s=25 Bala Paranj (Guest)
on 2013-12-15 10:23
(Received via mailing list)
I don't think you should be worried about lat and long being outside of
locations. What is the worst thing that can happen? You have to make a
judgement based on the application requirements.
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2013-12-15 12:08
(Received via mailing list)
On Saturday, December 14, 2013 3:36:27 AM UTC, Derek Chadwell wrote:
> and soldier on?  Is there something inherently wrong with my use of the
> name symbols with the fields_for functionality?  A consult is very welcome.
First off it looks like the plugin will, instead of looking at the name
attribute look at the attribute of your choice if you ask it to. The
example in the docs reads

<div class="details">
  Latitude:     <span data-geo="lat" />
  Longitude:    <span data-geo="lng" />
  Address:      <span data-geo="formatted_address" />
  Country Code: <span data-geo="country_short" /></div>

  details: ".details",
  detailsAttribute: "data-geo"});

Which seems to suggest that it would then use the data-geo attribute to
locate the fields.

As far as security goes, you should be ok as it is. The reason things
strong parameters (and previously attr_accessible) is that we're trying
have all of the convenience of SomeClass.create(params[:some_class]) but
with the safety that comes from explicitly saying what should be
(so that people can't add extra params to the hash and have us blindly
assign them) eg

object = = params[:foo] = params[:bar]

which is tedious. There isn't anything wrong from a security point of
with the tedious way: no one can add extra parameters and have you
unwittingly used them.
The only extra thing strong_parameters does is reject parameters of
unexpected types. There have been in the past vulnerabilities due to
arrays, nils, hashes etc. being passed when the programmer expected
or numbers (although if my memory is correct that was to do with those
values being passed to where().
To replicate that protection, all you would have to do is

@location.coordinates = [params[:lng].to_f,params[:lat].to_f]

This topic is locked and can not be replied to.