Menu
I used brakeman for generating scanning reports in my application. It generated many Cross Site Scripting security warnings with High Confidence in my reports/show page:
Unescaped model attribute near line 104: Report.find(params[:id]).remarks
I have seen in the link but couldn't fix. Please help. And this is the line in show page which I am facing error:
<%= @report.remarks.html_safe %>
867
Brakeman warns about any cases of potential user input being output without HTML escaping. Values from the database count as "potential user input".
If you are expecting remarks on reports to contain HTML that you wish the browser to interpret as HTML, then you must use html_safe and you are responsible for ensuring the HTML is safe - perhaps by calling sanitize or strip_tags. If you are not expecting remarks to contain HTML, then remove the call to html_safe.
The html_safe call essentially tells Rails "this string is safe, do not escape it." If that is what you intend, then you can ignore these warnings.
97
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
