Have you ever wanted to take the current route and change just one parameter in the route to generate a new route?
For example, maybe you've tried to do something like this:
redirect_to url_for(params.merge(thing_id: thing.id));
or this:
link_to 'Download as CSV', params.merge(format: :csv)
If you have tried that, and you are on Rails 5.0 or later, then you have probably run into this error:
Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.
(See also: rails/rails#26289)
Anywhere you would be tempted to do params.merge(hash)
, just replace with merge_params(hash)
or merge_url_for(hash)
. For example:
link_to 'Download as CSV', merge_params(format: :csv)
redirect_to merge_url_for(thing_id: thing.id);
No. While a best effort has been made to ensure unsafe params are not used to generate a URL, we may have overlooked something. Please review the code and the tests (coming soon) and open an issue if you find any security holes in this approach.
Unlike url_for_merge
, which tries to generate a route from the given params, sometimes you just
want to add the given params to the "end" of the URL as part of the query string:
add_params(key: 'value')
# => "/current_path?key=value
add_params({key: 'value'}, '/other_url')
# => "/other_url?key=value
Add this line to your application's Gemfile:
gem 'merge_params'
Add this line to your ApplicationController
(or whichever controller you want to have the
helpers):
include MergeParams::Helpers
The helpers will be also be added with helper_method
so that they are available for use in view
templates as well.
Bug reports and pull requests are welcome on GitHub at https://github.com/TylerRick/merge_params.