Securely redirecting to the same page with one param changed

I want to create a URL with one param changed. In my case, I want to link to, redirect to, or otherwise create a URL for the same page, but in a different locale.

url_for :locale => new_locale


Loses the query string.

url_for params.merge(:locale => new_locale)


URL is generated correctly, but someone could make my URL point to a different domain by passing a :host parameter.

url_for params.merge(:locale => new_locale, :only_path => true)


Prevents the security problem in the previous example, but potentially there are other ways to mess with the generated URL (passing other url_for options like script_name, anchor, etc.). Not sure if these other parameters represent a security issue.

Is there a secure way to do this? Perhaps a method to generate a URL where none of the parameters are “special”? Or does the final example handle all the potential security problems?