0.0
No commit activity in last 3 years
No release in over 3 years
Safely merge params for use with url_for or for the query string
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 10.0
~> 3.0

Runtime

>= 4.2, < 5.3
>= 4.2, < 5.3
>= 0
 Project Readme

MergeParams

Gem Version

Why do we need it?

Have you ever wanted to take the current route and change just one parameter in the route to generate a new route?

For example, maybe you've tried to do something like this:

  redirect_to url_for(params.merge(thing_id: thing.id));

or this:

  link_to 'Download as CSV', params.merge(format: :csv)

If you have tried that, and you are on Rails 5.0 or later, then you have probably run into this error:

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

(See also: rails/rails#26289)

How do I use it?

Anywhere you would be tempted to do params.merge(hash), just replace with merge_params(hash) or merge_url_for(hash). For example:

  link_to 'Download as CSV', merge_params(format: :csv)
  redirect_to merge_url_for(thing_id: thing.id);

Is it guaranteed to be safe?

No. While a best effort has been made to ensure unsafe params are not used to generate a URL, we may have overlooked something. Please review the code and the tests (coming soon) and open an issue if you find any security holes in this approach.

Other helpers

Unlike url_for_merge, which tries to generate a route from the given params, sometimes you just want to add the given params to the "end" of the URL as part of the query string:

add_params(key: 'value')
# => "/current_path?key=value

add_params({key: 'value'}, '/other_url')
# => "/other_url?key=value

Installation

Add this line to your application's Gemfile:

gem 'merge_params'

Add this line to your ApplicationController (or whichever controller you want to have the helpers):

  include MergeParams::Helpers

The helpers will be also be added with helper_method so that they are available for use in view templates as well.

Similar projects

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/TylerRick/merge_params.