Thank you for this. I will have to look into a few off that list and implement them. All the models does have attr_accessible. Using CarrierWave for uploads.
I think it might be worth your time to double check your attr_accessibles. Just:
grep attr_accessible app/models/*rb
Everything that comes up on that list, you should be comfortable with users giving any value they want to; that's what attr_accessible (effectively, not literally) means: "I give up any control of how these attributes will be set".