Friday, February 10, 2023

Parameter filtering and an improved ActionView::Helpers::TagHelper#token_list

Posted by Emmanuel Hayford

Përshëndetje! Emmanuel here with the usual stuff.

filtered_path in ActionController::Instrumentation event payloads over fullpath For security reasons, some data need to be filtered before it reaches bad actors. Rails now filters parameters in paths that may include sensitive information in logs. Instead of passing fullpath to ActionController::Instrumentation, Rails now passes filtered_path. Here’s some code for the difference:

get "/posts?password=test"

  request.fullpath # => "/posts?password=test"
  request.filtered_path # => "/posts?password=[FILTERED]"

Guard Stimulus’ data-action from multiple escapes ActionView::Helpers::TagHelper’s token_list saw some improvements in this pull request. Previously, utilizing multiple consecutive calls to the token_list function with a data-action attribute value caused an excess of HTML escapes. This has now been fixed.

Added option to show all headers for mailer previews This pull request enhances the mailer preview template by introducing an expandable section. Upon expansion, the section displays a comprehensive table of all headers relevant to the mailer.

Stop logging filtered params in Action Cable This pull request adds parameter filtering to filter out sensitive information that might be passed over WebSockets so logs won’t leak out information.

We saw 42 contributors in the past week. Until next week!

Your weekly inside scoop of interesting commits, pull requests and more from Rails.

Subscribe to get these updates mailed to you.