links on the page (e.g. pagination) that include arbitrary query parameters
that the user has entered.
Since `url_for` symbolizes any keys passed to it, for obvious memory
concerns you can't just pass the entire params hash.
In Rails 3.2, however, you can do this:
include Rails.application.routes.url_helpersurl_for action: 'index', controller: 'employees', host: 'foo.bar', params: {'eee' => 3}# => "http://foo.bar/employees?eee=3"Symbol.all_symbols.map(&:to_s).include? 'eee'# => false
In other words, you can pass `params: request.query_parameters` to
`url_for` to avoid the potential DOS issue.
However we still support Rails 3.0 and 3.1, and they completely ignore
`:params`.
Save for monkeypatching, has anyone found a way to safely provide this
functionality?
Thanks,
Sean Linsley
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/7r7n5_gT6dkJ.
For more options, visit https://groups.google.com/groups/opt_out.