参数错误 - 白名单并清理传递的参数以确保安全
Argument Error - Whitelist and sanitize passed parameters to be secure
我刚刚升级到 Rails 5.0.1,我 运行 收到安全警告:
ArgumentError in Categories#show
Showing /home/user/website/app/views/categories/show.html.erb where line #127 raised:
Attempting to generate a URL from non-sanitized request parameters! An attacker
can inject malicious data into the generated URL, such as changing the host.
Whitelist and sanitize passed parameters to be secure.
这是违规代码:
<%= link_to "Title", params.merge(:utf8 => params[:utf8], :search => params[:search], :x => "5", :y => ""), title:"Alphabetical" %>
我搜索了这个错误并发现了一些类似的问题,但它们要么解决了我的 运行 permit! 而不是 permit(这在我的情况下不适用)或者问题是一个错误,我希望不是这样。我尝试将 html_safe 添加到我的参数中,但它没有帮助。
有人知道我如何清理我的参数以遵守 Rails 5 项安全措施吗?
您可以按如下方式清理 params
<%= link_to "Title",
params.merge(
:utf8 => params[:utf8],
:search => params[:search],
:x => "5",
:y => "").permit(:utf8, :search, :x, :y),
title:"Alphabetical" %>
我刚刚升级到 Rails 5.0.1,我 运行 收到安全警告:
ArgumentError in Categories#show
Showing /home/user/website/app/views/categories/show.html.erb where line #127 raised:
Attempting to generate a URL from non-sanitized request parameters! An attacker
can inject malicious data into the generated URL, such as changing the host.
Whitelist and sanitize passed parameters to be secure.
这是违规代码:
<%= link_to "Title", params.merge(:utf8 => params[:utf8], :search => params[:search], :x => "5", :y => ""), title:"Alphabetical" %>
我搜索了这个错误并发现了一些类似的问题,但它们要么解决了我的 运行 permit! 而不是 permit(这在我的情况下不适用)或者问题是一个错误,我希望不是这样。我尝试将 html_safe 添加到我的参数中,但它没有帮助。
有人知道我如何清理我的参数以遵守 Rails 5 项安全措施吗?
您可以按如下方式清理 params
<%= link_to "Title",
params.merge(
:utf8 => params[:utf8],
:search => params[:search],
:x => "5",
:y => "").permit(:utf8, :search, :x, :y),
title:"Alphabetical" %>