Generate a URL from non-sanitized request parameters

Asked 11/7, 2016 at 13:23 Answered 11/11, 2016 at 9:26

I am getting this error when i try to use the code below,

link_to params.merge(:sort => column, :direction => direction, :page => nil) do
      "#{title} #{content_tag(:i, "", class: "fa fa-chevron-#{direction == 'asc' ? 'up': 'down'}") }".html_safe
    end

specifically seems to happen when i add params.merge there. What is the real cause and what should i do?

full error message

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

using Rails version 5.

Cantara answered 11/7, 2016 at 13:23 Comment(5)

Are you using rails 5.0.0? According to this thread (#34414471) this should be fixed now. – Gooseherd 11/7, 2016 at 13:28

yes i am using verion 5.0 but i am not using the kaminari gem but rather the will_paginate gem. – Cantara 11/7, 2016 at 13:29

have you tried using the newest will_paginate gem? bundle update will_paginate or use it from github in your gemfile – Gooseherd 11/7, 2016 at 13:50

Im using Rails 5.0.0 and getting this error too. Mine has nothing to do with any pagination gems---it is related to params.merge. I have not found any good info on this. Do you have any hints after dealing with it? – Iphagenia 12/7, 2016 at 1:39

@hellion, i am not saying it had to do with will_paginate, the problem is when i use params.merge and no i haven't found anything yet. If you do before me, do let me know :) – Cantara 12/7, 2016 at 11:45

Just use the normal strong parameters feature of Rails to whitelist good params. You don't have to define a method as suggested in the guide, just call params.permit(...) wherever you need it, e.g.:

link_to "asdf", params.permit(:page, :customer_id).merge(sort: column)

Using params.permit! allows all params (basically dodges the new security check) and is thus not recommended.

Insular answered 11/11, 2016 at 9:26 Comment(0)

For anybody new to rails that hit such thing, it is about doing params.permit! ideally after actually validating these params.

I tried to use smart_lists gem which appears to not be rails 5 compatible yet. For me it was about looking at the backtrace to see where the freakin params are used so I can permit them. Again, depending on usage, permitting should be done after proper validation.

Remains answered 10/8, 2016 at 12:25 Comment(1)

Update: smart_listing is already Rails 5 compatible: showcase.sology.eu/smart_listing – Metamorphosis 30/8, 2016 at 16:24

-1

Try

link_to params.merge(:sort => column, :direction => direction, :page => nil).permit! do
      "#{title} #{content_tag(:i, "", class: "fa fa-chevron-#{direction == 'asc' ? 'up': 'down'}") }".html_safe
    end

Pied answered 19/8, 2016 at 10:1 Comment(2)

Why should the OP "try this code"? A good answer will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Fordo 19/8, 2016 at 10:21

Using permit! is insecure because it permits whatever the user sends, defeating the point of strong parameters. – Idellaidelle 9/11, 2017 at 23:31

Recommended topics

Hot tags