I want to create a URL with one param changed. In my case, I want to
link
to, redirect to, or otherwise create a URL for the same page, but in a
different locale.
url_for :locale => new_locale
Loses the query string.
url_for params.merge(:locale => new_locale)
URL is generated correctly, but someone could make my URL point to a
different domain by passing a :host parameter.
url_for params.merge(:locale => new_locale, :only_path => true)
Prevents the security problem in the previous example, but potentially
there are other ways to mess with the generated URL (passing other
url_for
options like script_name, anchor, etc.). Not sure if these other
parameters
represent a security issue.
Is there a secure way to do this? Perhaps a method to generate a URL
where
none of the parameters are “special”? Or does the final example handle
all
the potential security problems?