> What else are you going to do, ignore user input?
You can selectively grab the fields you are expecting (for this request and account privilege level), validate them as necessary, and assign them, one by one, to the record.
> Overall, Rails has done such an excellent job of this that lots
> of other web frameworks are basically copying everything they do.
The Rails community has historically has been hostile to people pointing out bad security design decisions. I'm skeptical this new development will change anything.
A few years ago, there were similar questions about why Rails doesn't HTML-escape by default. The response was that it would break the entire framework and that you "just" need to remember to escape everywhere. Totally naive. Fortunately the world didn't end when Merb was merged and escaping by default was added.
While white-listing is easier than HTML-escaping everywhere, it involves work (and thought). Not to mention how you deal with different account privilege levels when you white-list at the database layer.
> Most rails sites don't even use mass assignment.
If you think mass-assignment isn't rampant, just look in the PragProg Rails book, or search the internet for tutorials. The examples everywhere show using mass assignment to create and update objects. The generated templates use it. GitHub obviously did too. Typing @foo.update_attributes(params[:foo]) is too easy, and you have to dig to find any mention of the security issues with it. Well, until now that is.