I want to create a URL with one param changed. In my case, I want to link to, redirect to, or otherwise create a URL for the same page, but in a different locale.
url_for :locale => new_locale
Loses the query string.
url_for params.merge(:locale => new_locale)
URL is generated correctly, but someone could make my URL point to a different domain by passing a :host parameter.
url_for params.merge(:locale => new_locale, :only_path => true)
Prevents the security problem in the previous example, but potentially there are other ways to mess with the generated URL (passing other url_for options like script_name, anchor, etc.). Not sure if these other parameters represent a security issue.
Is there a secure way to do this? Perhaps a method to generate a URL where none of the parameters are "special"? Or does the final example handle all the potential security problems?