Class Brakeman::CheckLinkToHref
In: lib/brakeman/checks/check_link_to_href.rb
Parent: Brakeman::CheckLinkTo

Checks for calls to link_to which pass in potentially hazardous data to the second argument. While this argument must be html_safe to not break the html, it must also be url safe as determined by calling a :url_safe_method. This prevents attacks such as javascript:evil() or data:<encoded XSS> which is html_safe, but not safe as an href Props to Nick Green for the idea.

Methods

Constants

CHECK_INSIDE_METHODS = [:url_for, :h, :sanitize]

Public Instance methods

Ignore situations where the href is an interpolated string with something before the user input

[Validate]