SearchState could potentially expose sensitive parameters on the querystring?

[revgum]

An audit performed on our Hyrax instance identified what looks like a byproduct of Blacklight SearchState maintaining the querystring for link rendering. In our specific case, the audit attempted to pass authenticity_token on the querystring and it was rendered in subsequent links by Blacklight. The audit result pointed to a security concern because these links could be passed as referrers, log files, browser history, links, proxies, etc.

This got me to wondering if SearchState might benefit from becoming a bit more intelligent about what parameters it will maintain based on the blacklight configuration provided to the controller.