0

Until recently, I have been using params.merge to handle this, but having been alerted to an XSS vulnerability needed to find a better way to handle locale switching. Most pages are now completely fine, but certain urls will have params that I need to keep, for example:

movies/123456/seat?ticket_id=1670&locale=en&time_type=2

The locale switch is now handled like so from the navbar:

<li><%= link_to "English", locale: "en" %></li>

Unfortunately, switching the locale (EG; to Japanese) results in the following:

movies/123456/seat?locale=ja

Is there any way that I can retain the parameters (without using params.merge as before) or do I need to re-work large chunks of my application to resolve this?

kuwantum
  • 314
  • 2
  • 4
  • 14
  • http://guides.rubyonrails.org/i18n.html#managing-the-locale-across-requests – Fabrizio Bertoglio Jan 10 '18 at 08:48
  • I probably should have said that was my first visit with this haha! Unfortunately I still have the issue of my url dropping any params when I switch. In the given example, I can see the "lost params url" when hovering over the option so I have definitely got something wrong. – kuwantum Jan 10 '18 at 08:54
  • https://stackoverflow.com/questions/29002068/rails-i18n-passed-params-get-lost#29008971 – Fabrizio Bertoglio Jan 10 '18 at 09:04
  • Unfortunately that solution also exposes params to the view - I can very easily XSS inject code back into my app if I do that. For example, adding `seat: params[:seat]` means that adding `/?seat=">` to the browser makes a nasty little popup appear. – kuwantum Jan 10 '18 at 09:08
  • I would consider if you can solve part of the problem by creating better routes. For example: `/tickets/1670/seats`. – max Jan 10 '18 at 09:19

1 Answers1

1

You can create a method to whitelist and sanitize the params: 

module ParamsHelper
  def merge_and_santize_params(*whitelist)
     params.permit(*whitelist)
           .transform_values! { |v| sanitize v }
           .merge(locale: I18n.current_locale)
  end
end

<li><%= link_to "English", merge_and_santize_params(:time_type, :ticket_id) %></li>

This uses ActionView::Helpers::SanitizeHelper which is better than nothing but may still be vulnerable to well crafted attacks.

max
  • 96,212
  • 14
  • 104
  • 165
  • Thanks, this seems to be a good short-term solution while I make routing changes as you mentioned in the comment on the original question. – kuwantum Jan 10 '18 at 22:08