Jeff Dean's blog
The problem: Improperly escaped post data
I recently worked on an app that processed xml files. Once a week, a legacy system posted a large xml document to the app. For almost a year the app worked perfectly, and then we updated to rails 2.3.2 and the posts started failing spectacularly. Looking at the log files, I noticed that the params were incorrect:
<code>{"message"=>"hello", "xml"=>"<xml>Foo &", "Bar</xml>"=>nil, "action"=>"not_scrubbed", "controller"=>"examples"}</code>
After looking into it further, I realized that the data that was being posted contained semi-colons:
<code>xml=<xml>Foo %26amp; Bar</xml>&message=hello</code>
It turns out that rails used to only split params on ampersands, but that rack splits on both ampersands and semi-colons. We couldn't change the legacy system, so we had to remove the semi-colons before the post params got to rails.
The solution: Rack middleware
Using Rack middleware it's was easy to insert code before rails params parsing code executed. To start, build a class that conforms to the signature of a rack middleware layer, like so: