diff --git a/app/controllers/suppliers_controller.rb b/app/controllers/suppliers_controller.rb
index e11c069..5145c12 100644
--- a/app/controllers/suppliers_controller.rb
+++ b/app/controllers/suppliers_controller.rb
@@ -37,7 +37,7 @@ class SuppliersController < ApplicationController
   # POST /suppliers
   # POST /suppliers.xml
   def create
-    @supplier = Supplier.new(params[:supplier])
+    @supplier = Supplier.new(supplier_params)
 
     respond_to do |format|
       if @supplier.save
@@ -55,7 +55,7 @@ class SuppliersController < ApplicationController
   # PUT /suppliers/1.xml
   def update
     @supplier = Supplier.find(params[:id])
-    attrs = params[:supplier]
+    attrs = supplier_params
 
     respond_to do |format|
       # @todo fix by generating proper hidden input in html
@@ -86,4 +86,32 @@ class SuppliersController < ApplicationController
       format.xml  { head :ok }
     end
   end
+
+  private
+
+  def supplier_params
+    params
+      .require(:supplier)
+      .permit(
+        :name,
+        :address,
+        :phone,
+        :phone2,
+        :fax,
+        :email,
+        :url,
+        :delivery_days,
+        :note,
+        :ftp_sync,
+        :ftp_host,
+        :ftp_user,
+        :ftp_password,
+        :ftp_type,
+        :ftp_regexp,
+        :mail_sync,
+        :mail_type,
+        :mail_from,
+        :mail_subject
+      )
+  end
 end