11

I am getting this error when i try to use the code below,

link_to params.merge(:sort => column, :direction => direction, :page => nil) do
      "#{title} #{content_tag(:i, "", class: "fa fa-chevron-#{direction == 'asc' ? 'up': 'down'}") }".html_safe
    end

specifically seems to happen when i add params.merge there. What is the real cause and what should i do?

full error message

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

using Rails version 5.

iGEL
  • 16,540
  • 11
  • 60
  • 74
Petros Kyriakou
  • 5,214
  • 4
  • 43
  • 82
  • Are you using rails 5.0.0? According to this thread (http://stackoverflow.com/questions/34413971/rails-5-0-0-beta1-generating-an-url-from-non-sanitized-request-parameters-is-i) this should be fixed now. – siegy22 Jul 11 '16 at 13:28
  • yes i am using verion 5.0 but i am not using the kaminari gem but rather the will_paginate gem. – Petros Kyriakou Jul 11 '16 at 13:29
  • have you tried using the newest will_paginate gem? `bundle update will_paginate` or use it from github in your gemfile – siegy22 Jul 11 '16 at 13:50
  • Im using Rails 5.0.0 and getting this error too. Mine has nothing to do with any pagination gems---it is related to params.merge. I have not found any good info on this. Do you have any hints after dealing with it? – hellion Jul 12 '16 at 01:39
  • @hellion, i am not saying it had to do with will_paginate, the problem is when i use params.merge and no i haven't found anything yet. If you do before me, do let me know :) – Petros Kyriakou Jul 12 '16 at 11:45

3 Answers3

17

Just use the normal strong parameters feature of Rails to whitelist good params. You don't have to define a method as suggested in the guide, just call params.permit(...) wherever you need it, e.g.:

link_to "asdf", params.permit(:page, :customer_id).merge(sort: column)

Using params.permit! allows all params (basically dodges the new security check) and is thus not recommended.

iGEL
  • 16,540
  • 11
  • 60
  • 74
1

For anybody new to rails that hit such thing, it is about doing params.permit! ideally after actually validating these params.

I tried to use smart_lists gem which appears to not be rails 5 compatible yet. For me it was about looking at the backtrace to see where the freakin params are used so I can permit them. Again, depending on usage, permitting should be done after proper validation.

akostadinov
  • 17,364
  • 6
  • 77
  • 85
  • 1
    Update: smart_listing is already Rails 5 compatible: http://showcase.sology.eu/smart_listing – lfx Aug 30 '16 at 16:24
-1

Try

link_to params.merge(:sort => column, :direction => direction, :page => nil).permit! do
      "#{title} #{content_tag(:i, "", class: "fa fa-chevron-#{direction == 'asc' ? 'up': 'down'}") }".html_safe
    end
Alexandros Roniotis
  • 19
  • 2
  • 4
    Why should the OP "try this code"? A **good answer** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – B001ᛦ Aug 19 '16 at 10:21
  • Using `permit!` is insecure because it permits whatever the user sends, defeating the point of strong parameters. – Paul A Jungwirth Nov 09 '17 at 23:31