Generate a URL from non-sanitized request parameters

Question

I am getting this error when i try to use the code below,

link_to params.merge(:sort => column, :direction => direction, :page => nil) do
      "#{title} #{content_tag(:i, "", class: "fa fa-chevron-#{direction == 'asc' ? 'up': 'down'}") }".html_safe
    end

specifically seems to happen when i add params.merge there. What is the real cause and what should i do?

full error message

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

using Rails version 5.

Answer 1

Just use the normal strong parameters feature of Rails to whitelist good params. You don't have to define a method as suggested in the guide, just call params.permit(...) wherever you need it, e.g.:

link_to "asdf", params.permit(:page, :customer_id).merge(sort: column)

Using params.permit! allows all params (basically dodges the new security check) and is thus not recommended.

Answer 2

For anybody new to rails that hit such thing, it is about doing params.permit! ideally after actually validating these params.

I tried to use smart_lists gem which appears to not be rails 5 compatible yet. For me it was about looking at the backtrace to see where the freakin params are used so I can permit them. Again, depending on usage, permitting should be done after proper validation.