diff --git a/app/controllers/announcements_controller.rb b/app/controllers/announcements_controller.rb
--- a/app/controllers/announcements_controller.rb
+++ b/app/controllers/announcements_controller.rb
@@ -66,7 +66,7 @@
     @announcement = Announcement.find(params[:id])
 
     respond_to do |format|
-      if @announcement.update_attributes(params[:announcement])
+      if @announcement.update_attributes(announcement_params)
         flash[:notice] = 'Announcement was successfully updated.'
         format.html { redirect_to(@announcement) }
         format.js   {}
@@ -108,4 +108,10 @@
       format.xml  { head :ok }
     end
   end
+
+  private
+
+    def announcement_params
+      params.require(:announcement).permit(:author, :body, :published, :frontpage, :contest_only,:title, :note)
+    end
 end
diff --git a/app/controllers/configurations_controller.rb b/app/controllers/configurations_controller.rb
--- a/app/controllers/configurations_controller.rb
+++ b/app/controllers/configurations_controller.rb
@@ -19,7 +19,7 @@
     @config = GraderConfiguration.find(params[:id])
     User.clear_last_login if @config.key == GraderConfiguration::MULTIPLE_IP_LOGIN_KEY and @config.value == 'true' and params[:grader_configuration][:value] == 'false'
     respond_to do |format|
-      if @config.update_attributes(params[:grader_configuration])
+      if @config.update_attributes(configuration_params)
         format.json { head :ok }
       else
         format.json { respond_with_bip(@config) }
@@ -27,4 +27,9 @@
     end
   end
 
+private
+  def configuration_params
+    params.require(:grader_configuration).permit(:key,:value_type,:value,:description)
+  end
+
 end
diff --git a/app/controllers/contests_controller.rb b/app/controllers/contests_controller.rb
--- a/app/controllers/contests_controller.rb
+++ b/app/controllers/contests_controller.rb
@@ -66,7 +66,7 @@
     @contest = Contest.find(params[:id])
 
     respond_to do |format|
-      if @contest.update_attributes(params[:contest])
+      if @contest.update_attributes(contests_params)
         flash[:notice] = 'Contest was successfully updated.'
         format.html { redirect_to(@contest) }
         format.xml  { head :ok }
@@ -89,4 +89,10 @@
     end
   end
 
+  private
+
+    def contests_params
+      params.require(:contest).permit(:title,:enabled,:name)
+    end
+
 end
diff --git a/app/controllers/site_controller.rb b/app/controllers/site_controller.rb
--- a/app/controllers/site_controller.rb
+++ b/app/controllers/site_controller.rb
@@ -59,4 +59,9 @@
     end
   end
 
+  private
+    def site_params
+      params.require(:site).permit()
+    end
+
 end
diff --git a/app/controllers/sites_controller.rb b/app/controllers/sites_controller.rb
--- a/app/controllers/sites_controller.rb
+++ b/app/controllers/sites_controller.rb
@@ -65,7 +65,7 @@
     @site.clear_start_time_if_not_started
 
     respond_to do |format|
-      if @site.update_attributes(params[:site])
+      if @site.update_attributes(site_params)
         flash[:notice] = 'Site was successfully updated.'
         format.html { redirect_to(@site) }
         format.xml  { head :ok }
@@ -88,4 +88,10 @@
     end
   end
 
+  private
+
+    def site_params
+      params.require(:site).permit(:name,:started,:start_time,:country_id,:password)
+    end
+
 end
diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@@ -60,61 +60,6 @@
     end
   end
 
-#  # GET /submissions/new
-#  # GET /submissions/new.json
-#  def new
-#    @submission = Submission.new
-#
-#    respond_to do |format|
-#      format.html # new.html.erb
-#      format.json { render json: @submission }
-#    end
-#  end
-#
-#
-#  # POST /submissions
-#  # POST /submissions.json
-#  def create
-#    @submission = Submission.new(params[:submission])
-#
-#    respond_to do |format|
-#      if @submission.save
-#        format.html { redirect_to @submission, notice: 'Submission was successfully created.' }
-#        format.json { render json: @submission, status: :created, location: @submission }
-#      else
-#        format.html { render action: "new" }
-#        format.json { render json: @submission.errors, status: :unprocessable_entity }
-#      end
-#    end
-#  end
-#
-#  # PUT /submissions/1
-#  # PUT /submissions/1.json
-#  def update
-#    @submission = Submission.find(params[:id])
-#
-#    respond_to do |format|
-#      if @submission.update_attributes(params[:submission])
-#        format.html { redirect_to @submission, notice: 'Submission was successfully updated.' }
-#        format.json { head :no_content }
-#      else
-#        format.html { render action: "edit" }
-#        format.json { render json: @submission.errors, status: :unprocessable_entity }
-#      end
-#    end
-#  end
-#
-#  # DELETE /submissions/1
-#  # DELETE /submissions/1.json
-#  def destroy
-#    @submission = Submission.find(params[:id])
-#    @submission.destroy
-#
-#    respond_to do |format|
-#      format.html { redirect_to submissions_url }
-#      format.json { head :no_content }
-#    end
-#  end
 
 protected
   def submission_authorization
@@ -133,5 +78,6 @@
     unauthorized_redirect
     return false
   end
+
     
 end
diff --git a/app/controllers/user_admin_controller.rb b/app/controllers/user_admin_controller.rb
--- a/app/controllers/user_admin_controller.rb
+++ b/app/controllers/user_admin_controller.rb
@@ -118,7 +118,7 @@
 
   def update
     @user = User.find(params[:id])
-    if @user.update_attributes(params[:user])
+    if @user.update_attributes(user_params)
       flash[:notice] = 'User was successfully updated.'
       redirect_to :action => 'show', :id => @user
     else
@@ -535,4 +535,9 @@
       end
     end
   end
+
+  private
+    def user_params
+      params.require(:user).permit(:login,:full_name,:hashed_password,:salt,:alias,:email,:site_id,:country_id,:activated,:enabled,:remark,:last_ip,:section)
+    end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -31,7 +31,7 @@
 
   validates_presence_of :login
   validates_uniqueness_of :login
-  validates_format_of :login, :with => /^[\_A-Za-z0-9]+$/
+  validates_format_of :login, :with => /\A[\_A-Za-z0-9]+\z/
   validates_length_of :login, :within => 3..30
 
   validates_presence_of :full_name
diff --git a/config/environments/development.rb b/config/environments/development.rb
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -23,7 +23,7 @@
   config.action_dispatch.best_standards_support = :builtin
 
   # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
+  # config.active_record.mass_assignment_sanitizer = :strict //DEPRICATED
 
   # Log the query plan for queries taking more than this (works // DEPRICATED
   # with SQLite, MySQL, and PostgreSQL) // DEPRICATED
diff --git a/config/environments/test.rb b/config/environments/test.rb
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -30,7 +30,7 @@
   config.action_mailer.delivery_method = :test
 
   # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
+  #config.active_record.mass_assignment_sanitizer = :strict // DEPRICATED
 
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr