diff options
| author | Prem Sichanugrist <s@sikac.hu> | 2014-07-25 12:00:14 -0400 |
|---|---|---|
| committer | Prem Sichanugrist <s@sikac.hu> | 2014-08-18 20:42:45 -0400 |
| commit | 5109740c6be67047df56feb164012c3a1a3c619b (patch) | |
| tree | c0cf051b99bc489055c747d7d143fd53cac7e9d3 /guides/assets | |
| parent | dfeeecd2f3bde70f22174843ccfc594610b4eebc (diff) | |
| download | rails-5109740c6be67047df56feb164012c3a1a3c619b.tar.gz rails-5109740c6be67047df56feb164012c3a1a3c619b.tar.bz2 rails-5109740c6be67047df56feb164012c3a1a3c619b.zip | |
Make `AC::Params#to_h` return Hash with safe keys
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
Diffstat (limited to 'guides/assets')
0 files changed, 0 insertions, 0 deletions