aboutsummaryrefslogtreecommitdiffstats
path: root/actionview/lib/action_view/template/handlers/builder.rb
diff options
context:
space:
mode:
authorRafael Mendonça França <rafaelmfranca@gmail.com>2017-04-11 21:45:39 -0400
committerRafael Mendonça França <rafaelmfranca@gmail.com>2017-04-18 17:33:23 -0400
commitfd88ccc905549c61e0e4525fcb68b91d20b9afe9 (patch)
treebdb5f528a4e317cab9d810161dae2498a38928fe /actionview/lib/action_view/template/handlers/builder.rb
parent1396b05e5a36859a9730e7a4a56abba02c41c0d6 (diff)
downloadrails-fd88ccc905549c61e0e4525fcb68b91d20b9afe9.tar.gz
rails-fd88ccc905549c61e0e4525fcb68b91d20b9afe9.tar.bz2
rails-fd88ccc905549c61e0e4525fcb68b91d20b9afe9.zip
Raise exception when calling to_h in a unfiltered Parameters
Before we returned either an empty hash or only the always permitted parameters (:controller and :action by default). The previous behavior was dangerous because in order to get the attributes users usually fallback to use to_unsafe_h that could potentially introduce security issues. The to_unsafe_h API is also not good since Parameters is a object that quacks like a Hash but not in all cases since to_h would return an empty hash and users were forced to check if to_unsafe_h is defined or if the instance is a ActionController::Parameters in order to work with it. This end up coupling a lot of libraries and parts of the application with something that is from the controller layer.
Diffstat (limited to 'actionview/lib/action_view/template/handlers/builder.rb')
0 files changed, 0 insertions, 0 deletions