I just upgraded to Rails 5.0.1, and I'm running into a security warning:
ArgumentError in Categories#show
Showing /home/user/website/app/views/categories/show.html.erb where line #127 raised:
Attempting to generate a URL from non-sanitized request parameters! An attacker
can inject malicious data into the generated URL, such as changing the host.
Whitelist and sanitize passed parameters to be secure.
This is the offending code:
<%= link_to "Title", params.merge(:utf8 => params[:utf8], :search => params[:search], :x => "5", :y => ""), title:"Alphabetical" %>
I searched for this error and found a few similar problems, but they were either solved my running permit! instead of just permit (which is inapplicable in my situation) or the problem was a bug, which I hope isn't the case. I tried adding html_safe to my parameters but it didn't help.
Anyone know how I can sanitize my parameters to abide by Rails 5 security measures?
You can sanitize params as follows
<%= link_to "Title",
params.merge(
:utf8 => params[:utf8],
:search => params[:search],
:x => "5",
:y => "").permit(:utf8, :search, :x, :y),
title:"Alphabetical" %>