Ruby on Rails
Tuesday, October 21, 2014
I want to create a URL with one param changed. In my case, I want to link to, redirect to, or otherwise create a URL for the same page, but in a different locale.
Loses the query string.
URL is generated correctly, but someone could make my URL point to a different domain by passing a :host parameter.
Prevents the security problem in the previous example, but potentially there are other ways to mess with the generated URL (passing other url_for options like script_name, anchor, etc.). Not sure if these other parameters represent a security issue.
Is there a secure way to do this? Perhaps a method to generate a URL where none of the parameters are "special"? Or does the final example handle all the potential security problems?
-- url_for :locale => new_locale
Loses the query string.
url_for params.merge(:locale => new_locale)
URL is generated correctly, but someone could make my URL point to a different domain by passing a :host parameter.
url_for params.merge(:locale => new_locale, :only_path => true)
Prevents the security problem in the previous example, but potentially there are other ways to mess with the generated URL (passing other url_for options like script_name, anchor, etc.). Not sure if these other parameters represent a security issue.
Is there a secure way to do this? Perhaps a method to generate a URL where none of the parameters are "special"? Or does the final example handle all the potential security problems?
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/c1328860-b63c-46a7-9551-330a62396010%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment