We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brakeman version: 5.1.2 Rails version: 6.1.7.3 Ruby version: 2.7.5
Link to Rails application code: #1778
Full warning from Brakeman:
Confidence: High Category: Cross-Site Scripting Check: ContentTag Message: Unescaped parameter value in `content_tag` Code: content_tag(:tr, foo(mf), params[:foo] => params[:bar])
Relevant code:
helper.content_tag :p, "<script>alert(1)</script>", "<script>&'\"" => "<script>&'\""
Why might this be a false positive?
The return value seems to gsub out the control characters for _ in attribute names now.
gsub
_
=> "<p _script____=\"<script>&'"\"><script>alert(1)</script></p>"
I haven't really tracked down when this changed. I thought I did, but no.
The text was updated successfully, but these errors were encountered:
I think it was
rails/rails@5c7dae5
released in Rails 6.1.6
Sorry, something went wrong.
No attribute name XSS warning in Rails 6.1.6+
7590912
Fixes #1778
No attribute name XSS warning in Rails 6.1.6+ (#1779)
b4d07f8
Successfully merging a pull request may close this issue.
Background
Brakeman version: 5.1.2
Rails version: 6.1.7.3
Ruby version: 2.7.5
Link to Rails application code: #1778
False Positive
Full warning from Brakeman:
Relevant code:
Why might this be a false positive?
The return value seems to
gsub
out the control characters for_
in attribute names now.I haven't really tracked down when this changed. I thought I did, but no.
The text was updated successfully, but these errors were encountered: