Securely redirecting to the same page with one param changed
7 views
Skip to first unread message
Jason Barnabe
Oct 21, 2014, 11:38:26 AM10/21/14
to rubyonra...@googlegroups.com
I want to create a URL with one param changed. In my case, I want to link to, redirect to, or otherwise create a URL for the same page, but in a different locale.
Loses the query string.
URL is generated correctly, but someone could make my URL point to a different domain by passing a :host parameter.
Prevents the security problem in the previous example, but potentially there are other ways to mess with the generated URL (passing other url_for options like script_name, anchor, etc.). Not sure if these other parameters represent a security issue.
Is there a secure way to do this? Perhaps a method to generate a URL where none of the parameters are "special"? Or does the final example handle all the potential security problems?
url_for :locale => new_locale
Loses the query string.
url_for params.merge(:locale => new_locale)
URL is generated correctly, but someone could make my URL point to a different domain by passing a :host parameter.
url_for params.merge(:locale => new_locale, :only_path => true)
Prevents the security problem in the previous example, but potentially there are other ways to mess with the generated URL (passing other url_for options like script_name, anchor, etc.). Not sure if these other parameters represent a security issue.
Is there a secure way to do this? Perhaps a method to generate a URL where none of the parameters are "special"? Or does the final example handle all the potential security problems?
Reply all
Reply to author
Forward
0 new messages