def check_argument result, exp
if raw? exp
arg = process exp.first_arg
else
arg = process exp
end
if input = has_immediate_user_input?(arg)
message = msg("Unescaped ", msg_input(input), " in ", msg_code("content_tag"))
add_result result
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :xss_content_tag,
:message => message,
:user_input => input,
:confidence => :high,
:link_path => "content_tag"
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
unless IGNORE_MODEL_METHODS.include? match.method
add_result result
if likely_model_attribute? match
confidence = :high
else
confidence = :medium
end
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :xss_content_tag,
:message => msg("Unescaped model attribute in ", msg_code("content_tag")),
:user_input => match,
:confidence => confidence,
:link_path => "content_tag"
end
elsif @matched
return if @matched.type == :model and tracker.options[:ignore_model_output]
message = msg("Unescaped ", msg_input(@matched), " in ", msg_code("content_tag"))
add_result result
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :xss_content_tag,
:message => message,
:user_input => @matched,
:confidence => :medium,
:link_path => "content_tag"
end
end