diff --git a/app/controllers/spree/admin/payments_controller.rb b/app/controllers/spree/admin/payments_controller.rb
index af100b7c80..7627e5c6a2 100644
--- a/app/controllers/spree/admin/payments_controller.rb
+++ b/app/controllers/spree/admin/payments_controller.rb
@@ -82,7 +82,7 @@ module Spree
            source_params = params.delete(:payment_source)[params[:payment][:payment_method_id]]
           params[:payment][:source_attributes] = source_params
         end
-        params[:payment]
+        params.require(:payment).permit(:amount, :payment_method_id, :source_attributes)
       end
 
       def load_data
diff --git a/app/controllers/spree/admin/taxons_controller.rb b/app/controllers/spree/admin/taxons_controller.rb
index ddc1b63c70..a79dfd28d8 100644
--- a/app/controllers/spree/admin/taxons_controller.rb
+++ b/app/controllers/spree/admin/taxons_controller.rb
@@ -89,7 +89,7 @@ module Spree
           @update_children = true
         end
 
-        if @taxon.update_attributes(params[:taxon])
+        if @taxon.update_attributes(taxon_params)
           flash[:success] = flash_message_for(@taxon, :successfully_updated)
         end
 
@@ -113,6 +113,17 @@ module Spree
         @taxon.destroy
         respond_with(@taxon) { |format| format.json { render json: '' } }
       end
+
+      private
+
+      def taxon_params
+        params.require(:taxon).permit(permitted_params)
+      end
+
+      def permitted_params
+        [:name, :parent_id, :position, :icon, :description, :permalink,
+         :taxonomy_id, :meta_description, :meta_keywords, :meta_title]
+      end
     end
   end
 end