Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positive 'Unescaped model attribute' when using safe '_html' i18n key #1754

Open
jtomson opened this issue Jan 13, 2023 · 0 comments
Open

Comments

@jtomson
Copy link

jtomson commented Jan 13, 2023

Background

Brakeman version: 5.4.0
Rails version: 4.2.11.3
Ruby version: 2.4.10

Link to Rails application code: xxxx

False Positive

Full warning from Brakeman:

Confidence: Weak
Category: Cross-Site Scripting
Check: CrossSiteScripting
Message: Unescaped model attribute
Code: t("foo_email.description_html", :email => Foo.where(:id => params[:foo_id]).first.email)
File: app/views/foos/foo_email.html.erb
Line: 8

Relevant code:

@description = t("foo_email.description_html", :email => Foo.where(:id => params[:foo_id]).first.email)
# [... later in erb]
<div><%== @description %></div>

Using an i18n key ending in _html should automatically sanitize all parameters described in https://guides.rubyonrails.org/i18n.html#using-safe-html-translations but the use of <%== was unnecessary and good to call out?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant