Class Brakeman::CheckCrossSiteScripting
In: lib/brakeman/checks/check_cross_site_scripting.rb
Parent: Brakeman::BaseCheck

This check looks for unescaped output in templates which contains parameters or model attributes.

For example:

 <%= User.find(:id).name %>
 <%= params[:id] %>

Methods

Constants

IGNORE_MODEL_METHODS = Set[:average, :count, :maximum, :minimum, :sum, :id]   Model methods which are known to be harmless
MODEL_METHODS = Set[:all, :find, :first, :last, :new]
IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
HAML_HELPERS = Sexp.new(:colon2, Sexp.new(:const, :Haml), :Helpers)
XML_HELPER = Sexp.new(:colon2, Sexp.new(:const, :Erubis), :XmlHelper)
URI = Sexp.new(:const, :URI)
CGI = Sexp.new(:const, :CGI)
FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)

Public Instance methods

Call already involves a model, but might not be acting on a record

Check a call for user input

Since we want to report an entire call and not just part of one, use @mark to mark when a call is started. Any dangerous values inside will then report the entire call chain.

Note that cookies have been found

Process as default

Look for calls to raw() Otherwise, ignore

Process as default

Ignore output HTML escaped via HAML

Ignore condition in if Sexp

Process an output Sexp

Note that params have been found

Ignore calls to render

Run check

[Validate]