Brakeman Error - Unescaped model attribute near

无人久伴 提交于 2019-12-23 10:24:23

问题


I am getting a lot error as follows

Unescaped model attribute near line 20: show_errors(Objective.new(objective_params), :name)

Expanded View

This is my code

module ApplicationHelper
  # Error Helper for Form
  def show_errors(object, field_name)
    if object.errors.any? && object.errors.messages[field_name][0].present?
      "<label class='text-error'>" + object.errors.messages[field_name][0] + "</label>"
    else
      return ""
    end
  end

end

回答1:


From Brakeman Cross Site Scripting docs:

By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

For example:

<%= some_method(cookie[:name]) %>

This raises a warning like:

Unescaped cookie value near line 5: some_method(cookies[:oreo])

However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

The last statement may be important. If you are sure your value gets into view escaped, this warning could probably be ignored/disabled.



来源:https://stackoverflow.com/questions/38673359/brakeman-error-unescaped-model-attribute-near

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!