From a31078556a82ded9cb13c71727e146bb716a17ec Mon Sep 17 00:00:00 2001
From: Prathamesh Sonpatki <csonpatki@gmail.com>
Date: Sun, 3 Jan 2016 17:20:24 +0530
Subject: Allow AC::Parameters as an argument to url_helpers

- Earlier only Hash was allowed as params argument to url_helpers.
- Now ActionController::Parameters instances will also be allowed.
- If the params are not secured then it will raise an ArgumentError to
  indicate that constructing URLs with non-secure params is not recommended.
- Fixes #22832.
---
 actionpack/lib/action_dispatch/routing/route_set.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib/action_dispatch/routing/route_set.rb')

diff --git a/actionpack/lib/action_dispatch/routing/route_set.rb b/actionpack/lib/action_dispatch/routing/route_set.rb
index 2bd2e53252..846b5fa1fc 100644
--- a/actionpack/lib/action_dispatch/routing/route_set.rb
+++ b/actionpack/lib/action_dispatch/routing/route_set.rb
@@ -281,8 +281,17 @@ module ActionDispatch
           helper = UrlHelper.create(route, opts, route_key, url_strategy)
           mod.module_eval do
             define_method(name) do |*args|
-              options = nil
-              options = args.pop if args.last.is_a? Hash
+              last = args.last
+              options = case last
+                        when Hash
+                          args.pop
+                        when ActionController::Parameters
+                          if last.permitted?
+                            args.pop.to_h
+                          else
+                            raise ArgumentError, "Generating an URL from non sanitized request parameters is insecure!"
+                          end
+                        end
               helper.call self, args, options
             end
           end
-- 
cgit v1.2.3