params.merge command is not safe?

Question

So with a lot of banging head on the head I was finally able to write some code that I need like this:

 = link_to 'Clear', params.merge(:teachers => {:sort_column => 'teacher_name', :sort_direction => 'desc'}), :class => 'btn'

Notice I have used params.merge command.

But now I ran it through the Brakeman gem and it says params.merge has a cross site scripting vulnerability.

So now how can I rewrite the same code that doesn't use params.merge?

try just `{ :teachers => {:sort_column => 'teacher_name', :sort_direction => 'asc'} }`. basically remove the call to `params.merge`. This will work if you don't have other params besides action and controller. — jvnill, Mar 18 '13 at 15:42
"This will work if you don't have other params besides action and controller." ... can you please explain this part a little more. Thanks. — Bohn, Mar 18 '13 at 15:45
if your url is `localhost:3000/users?foo=bar`, it won't include the `foo=bar` part. it will only use the controller (users) and the action (index). — jvnill, Mar 18 '13 at 15:50

score 0 · Accepted Answer · answered Mar 18 '13 at 15:49

0

There's no reason to use (and plenty reason not to) the entire params hash. Simply pull out the parts you need to build the url. Since you are redirecting to the same action and controller, you can leave those out and Rails will figure out the path:

= link_to 'Clear', :teachers => ...

If you need specific parameters besides for the action and controller, you can add those in:

= link_to 'Clear', :id => params[:id], :teachers => ...

answered Mar 18 '13 at 15:49

PinnyM

35,165
3
73
81

3

nice job summarizing the comments :) – jvnill Mar 18 '13 at 15:52
@jvnill: comments are great when the intent is self-understood... – PinnyM Mar 18 '13 at 15:59

params.merge command is not safe?

1 Answers1