问题
I am getting a lot error as follows
Unescaped model attribute near line 20: show_errors(Objective.new(objective_params), :name)
Expanded View
This is my code
module ApplicationHelper
# Error Helper for Form
def show_errors(object, field_name)
if object.errors.any? && object.errors.messages[field_name][0].present?
"<label class='text-error'>" + object.errors.messages[field_name][0] + "</label>"
else
return ""
end
end
end
回答1:
From Brakeman Cross Site Scripting docs:
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= some_method(cookie[:name]) %>
This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
The last statement may be important. If you are sure your value gets into view escaped, this warning could probably be ignored/disabled.
来源:https://stackoverflow.com/questions/38673359/brakeman-error-unescaped-model-attribute-near