We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brakeman version: 5.4.0 Rails version: 4.2.11.3 Ruby version: 2.4.10
Link to Rails application code: xxxx
Full warning from Brakeman:
Confidence: Weak Category: Cross-Site Scripting Check: CrossSiteScripting Message: Unescaped model attribute Code: t("foo_email.description_html", :email => Foo.where(:id => params[:foo_id]).first.email) File: app/views/foos/foo_email.html.erb Line: 8
Relevant code:
@description = t("foo_email.description_html", :email => Foo.where(:id => params[:foo_id]).first.email) # [... later in erb] <div><%== @description %></div>
Using an i18n key ending in _html should automatically sanitize all parameters described in https://guides.rubyonrails.org/i18n.html#using-safe-html-translations but the use of <%== was unnecessary and good to call out?
_html
<%==
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Background
Brakeman version: 5.4.0
Rails version: 4.2.11.3
Ruby version: 2.4.10
Link to Rails application code: xxxx
False Positive
Full warning from Brakeman:
Relevant code:
Using an i18n key ending in
_html
should automatically sanitize all parameters described in https://guides.rubyonrails.org/i18n.html#using-safe-html-translations but the use of<%==
was unnecessary and good to call out?The text was updated successfully, but these errors were encountered: