Parameter filtering and an improved ActionView::Helpers::TagHelper#token_list

Friday, February 10, 2023

Parameter filtering and an improved ActionView::Helpers::TagHelper#token_list

Posted by siaw23

Përshëndetje! Emmanuel here with the usual stuff.

filtered_path in ActionController::Instrumentation event payloads over fullpath
For security reasons, some data need to be filtered before it reaches bad actors. Rails now filters parameters in paths that may include sensitive information in logs. Instead of passing fullpath to ActionController::Instrumentation, Rails now passes filtered_path. Here’s some code for the difference:

get "/posts?password=test"
 
  request.full_path # => "/posts?password=test"
  response.filtered_path # => "/posts?password=[FILTERED]"

Guard Stimulus’ data-action from multiple escapes
ActionView::Helpers::TagHelper’s token_list saw some improvements in this pull request. Previously, utilizing multiple consecutive calls to the token_list function with a data-action attribute value caused an excess of HTML escapes. This has now been fixed.

Added option to show all headers for mailer previews
This pull request enhances the mailer preview template by introducing an expandable section. Upon expansion, the section displays a comprehensive table of all headers relevant to the mailer.

Stop logging filtered params in Action Cable
This pull request adds parameter filtering to filter out sensitive information that might be passed over WebSockets so logs won’t leak out information.

We saw 42 contributors in the past week.
Until next week!

Your weekly inside scoop of interesting commits, pull requests and more from Rails.

Subscribe to get these updates mailed to you.