I'm using Brakeman to identify security issues. It's flagging up any links which use params.merge as a cross site scripting vulnerability. How can I sanitize something like the following?

  - @archives.each do |archive|
    =  link_to "FTP", params.merge(:action => :ftp, :archive => archive, :recipient => "company")

You should create a new hash based on only the elements of params which you expect and wish to allow to be a part of the FTP link and use that to merge your additional parameters.

What you have allows me to add whatever I want to that FTP link by modifying the querystring, opening up the door to security vulnerabilities. By building a hash for use in place of the params in the params.merge(... you're effectively whitelisting expected querystring components for use in the template you're rendering.

As a GET example, if you expect a URL like

/some/path?opt1=val1&opt2=val2

your controller action you might do

@cleaned_params = { opt1: params[:opt1], opt2: params[:opt2] }
@cleaned_params.merge! action: :ftp, archive: archive, recipient: :company

And then pass @cleaned_params to the link_to

=  link_to "FTP", @cleaned_params

This way if I manually enter a URL like

/some/path?opt1=val1&opt2=val2&maliciousopt=somexss

The params[:maliciousopt] will never make it into your FTP link_to in your view.

The same behaviour applies to POST requests, only to be malicious I might add a couple fields to the form before submitting it

<input type="hidden" name="maliciousopt" value="somexss" />