How to fix Cross Site Scripting security warning in rails generated by brakeman?

Question

I used brakeman for generating scanning reports in my application. It generated many Cross Site Scripting security warnings with High Confidence. In that one of them is:

Unescaped parameter value rendered inline near line 47: render(text => "Unexpected EventType #{params["EventType"]}", { :status => 406 })
app/controllers/event_controller.rb.

In the controller method shown below, the 1st line is showing the above warning.

I have seen in the link but couldn't fix. Please help. And this is controller code:

  def purchase

    render :status => 406, :text => "Unexpected EventType #{params['EventType']}" and return unless params['EventType'] == 'purchased'
    @account = Account.new
    render :status => 406, :text => "Could not find Plan #{params['Plan']}" and return unless @account.plan = @plan = SubscriptionPlan.find_by_name(params['Plan'])

  end

Answer 1

When using render :text => ... Rails still renders the output as HTML (with content type text/html). Since your code is putting user input (params['EventType']) directly in the output, this is a classic cross-site scripting vulnerability.

You have two options. Use render :plain instead (which will render with content type text/plain instead of HTML):

render :status => 406, :plain => "Unexpected EventType #{params['EventType']}"

or escape the user input:

render :status => 406, :text => "Unexpected EventType #{ERB::Util.html_escape(params['EventType'])}"