Reputation: 836
How to fix Cross Site Scripting security warning in rails when using html_safe?
I used brakeman for generating scanning reports in my application. It generated many Cross Site Scripting security warnings with High Confidence in my reports/show page:
Unescaped model attribute near line 104: Report.find(params[:id]).remarks
I have seen in the link but couldn't fix. Please help. And this is the line in show page which I am facing error:
<%= @report.remarks.html_safe %>
Upvotes: 11
Views: 3836
Answers (1)
Reputation: 1621
Brakeman warns about any cases of potential user input being output without HTML escaping. Values from the database count as "potential user input".
If you are expecting remarks on reports to contain HTML that you wish the browser to interpret as HTML, then you must use html_safe and you are responsible for ensuring the HTML is safe - perhaps by calling sanitize or strip_tags. If you are not expecting remarks to contain HTML, then remove the call to html_safe.
The html_safe call essentially tells Rails "this string is safe, do not escape it." If that is what you intend, then you can ignore these warnings.
Upvotes: 11
Related Questions
- Rails: html_safe not safe?
- How to fix Cross Site Scripting security warning in rails generated by brakeman?
- Rails html_safe notice when redirecting
- html_safe is not working in rails to javascript
- How to use html_safe in a secure manner?
- html_safe in ruby on rails not working
- html_safe is not working in ruby on rails
- Why should I be careful with html_safe?
- rails 3 html_safe confusion
- Turn on html_safe for the entire app in Rails 3