# File lib/brakeman/checks/check_cross_site_scripting.rb, line 55
  def check_for_immediate_xss exp
    return :duplicate if duplicate? exp

    if exp.node_type == :output
      out = exp.value
    elsif exp.node_type == :escaped_output
      if raw_call? exp
        out = exp.value.first_arg
      elsif html_safe_call? exp
        out = exp.value.target
      end
    end

    return if call? out and ignore_call? out.target, out.method

    if input = has_immediate_user_input?(out)
      add_result exp

      message = msg("Unescaped ", msg_input(input))

      warn :template => @current_template,
        :warning_type => "Cross-Site Scripting",
        :warning_code => :cross_site_scripting,
        :message => message,
        :code => input.match,
        :confidence => :high

    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
      method = if call? match
                 match.method
               else
                 nil
               end

      unless IGNORE_MODEL_METHODS.include? method
        add_result exp

        if likely_model_attribute? match
          confidence = :high
        else
          confidence = :medium
        end

        message = "Unescaped model attribute"
        link_path = "cross_site_scripting"
        warning_code = :cross_site_scripting

        if node_type?(out, :call, :safe_call, :attrasgn, :safe_attrasgn) && out.method == :to_json
          message += " in JSON hash"
          link_path += "_to_json"
          warning_code = :xss_to_json
        end

        warn :template => @current_template,
          :warning_type => "Cross-Site Scripting",
          :warning_code => warning_code,
          :message => message,
          :code => match,
          :confidence => confidence,
          :link_path => link_path
      end

    else
      false
    end
  end