Jason Barnabe
2014-Oct-21 15:38 UTC
Securely redirecting to the same page with one param changed
I want to create a URL with one param changed. In my case, I want to link to, redirect to, or otherwise create a URL for the same page, but in a different locale. url_for :locale => new_locale Loses the query string. url_for params.merge(:locale => new_locale) URL is generated correctly, but someone could make my URL point to a different domain by passing a :host parameter. url_for params.merge(:locale => new_locale, :only_path => true) Prevents the security problem in the previous example, but potentially there are other ways to mess with the generated URL (passing other url_for options like script_name, anchor, etc.). Not sure if these other parameters represent a security issue. Is there a secure way to do this? Perhaps a method to generate a URL where none of the parameters are "special"? Or does the final example handle all the potential security problems? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/c1328860-b63c-46a7-9551-330a62396010%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.