def process_call exp
if @mark
actually_process_call exp
else
@mark = true
actually_process_call exp
message = nil
if @matched
unless @matched.type and tracker.options[:ignore_model_output]
message = msg("Unescaped ", msg_input(@matched))
end
if message and not duplicate? exp
add_result exp
link_path = "cross_site_scripting"
warning_code = :cross_site_scripting
if @known_dangerous.include? exp.method
confidence = :high
if exp.method == :to_json
message << msg_plain(" in JSON hash")
link_path += "_to_json"
warning_code = :xss_to_json
end
else
confidence = :weak
end
warn :template => @current_template,
:warning_type => "Cross-Site Scripting",
:warning_code => warning_code,
:message => message,
:code => exp,
:user_input => @matched,
:confidence => confidence,
:link_path => link_path
end
end
@mark = @matched = false
end
exp
end