Skip to content

Safely merge params for use with url_for or for the query string

License

Notifications You must be signed in to change notification settings

TylerRick/merge_params

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MergeParams

Gem Version

Why do we need it?

Have you ever wanted to take the current route and change just one parameter in the route to generate a new route?

For example, maybe you've tried to do something like this:

  redirect_to url_for(params.merge(thing_id: thing.id));

or this:

  link_to 'Download as CSV', params.merge(format: :csv)

If you have tried that, and you are on Rails 5.0 or later, then you have probably run into this error:

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

(See also: rails/rails#26289)

How do I use it?

Anywhere you would be tempted to do params.merge(hash), just replace with merge_params(hash) or merge_url_for(hash). For example:

  link_to 'Download as CSV', merge_params(format: :csv)
  redirect_to merge_url_for(thing_id: thing.id);

Is it guaranteed to be safe?

No. While a best effort has been made to ensure unsafe params are not used to generate a URL, we may have overlooked something. Please review the code and the tests (coming soon) and open an issue if you find any security holes in this approach.

Other helpers

Unlike url_for_merge, which tries to generate a route from the given params, sometimes you just want to add the given params to the "end" of the URL as part of the query string:

add_params(key: 'value')
# => "/current_path?key=value

add_params({key: 'value'}, '/other_url')
# => "/other_url?key=value

Installation

Add this line to your application's Gemfile:

gem 'merge_params'

Add this line to your ApplicationController (or whichever controller you want to have the helpers):

  include MergeParams::Helpers

The helpers will be also be added with helper_method so that they are available for use in view templates as well.

Similar projects

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/TylerRick/merge_params.

About

Safely merge params for use with url_for or for the query string

Resources

License

Stars

Watchers

Forks

Packages

No packages published