我刚刚升级到Rails 5.0.1,我遇到了安全警告:
ArgumentError in Categories#show
Showing /home/user/website/app/views/categories/show.html.erb where line #127 raised:
Attempting to generate a URL from non-sanitized request parameters! An attacker
can inject malicious data into the generated URL, such as changing the host.
Whitelist and sanitize passed parameters to be secure.
这是有问题的代码:
<%= link_to "Title", params.merge(:utf8 => params[:utf8], :search => params[:search], :x => "5", :y => ""), title:"Alphabetical" %>
我搜索了这个错误并发现了一些类似的问题,但他们要么解决了我的permit!而不是permit(这在我的情况下不适用)或者问题是一个错误,我希望不是这样的。我尝试将html_safe添加到我的参数中,但它没有帮助。
任何人都知道如何清理我的参数以遵守Rails 5安全措施?
答案 0 :(得分:0)
您可以按如下方式清理params
<%= link_to "Title",
params.merge(
:utf8 => params[:utf8],
:search => params[:search],
:x => "5",
:y => "").permit(:utf8, :search, :x, :y),
title:"Alphabetical" %>