sort_link Generates Link With URL's host Parameter if Present

[sshaw]

If you have a URL like: example.com?host=foo and you call sort_link on the page it will generate a URL for foo instead of example.com. This is a result of Rails' URL helpers but regardless SortLink#url_options should be scrubbing this and the other URL altering parameters.

Seeing this on 2.3.0 but from the code it looks to be a problem on master too.

The workaround is to params.delete(:host) before calling.

Related #693

[deivid-rodriguez]

#1317 should fix this!

[phantomwhale]

I note the PR above fixed up host - which is a problem we are now seeing too (using an older version of the gem, beforer the patch above, to be clear)

Just wondered if there was a reason it didn't address the other URL altering parameters as well, as linked above?

(https://api.rubyonrails.org/classes/ActionDispatch/Routing/UrlFor.html#method-i-url_for)

Admittedly, overwriting host feels the most harmful - can't quite find an exploit for overwriting protocol yet