# File lib/brakeman/checks/check_content_tag.rb, line 90
  def check_argument result, exp
    #Check contents of raw() calls directly
    if raw? exp
      arg = process exp.first_arg
    else
      arg = process exp
    end

    if input = has_immediate_user_input?(arg)
      message = msg("Unescaped ", msg_input(input), " in ", msg_code("content_tag"))

      add_result result

      warn :result => result,
        :warning_type => "Cross-Site Scripting",
        :warning_code => :xss_content_tag,
        :message => message,
        :user_input => input,
        :confidence => :high,
        :link_path => "content_tag"

    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
      unless IGNORE_MODEL_METHODS.include? match.method
        add_result result

        if likely_model_attribute? match
          confidence = :high
        else
          confidence = :medium
        end

        warn :result => result,
          :warning_type => "Cross-Site Scripting",
          :warning_code => :xss_content_tag,
          :message => msg("Unescaped model attribute in ", msg_code("content_tag")),
          :user_input => match,
          :confidence => confidence,
          :link_path => "content_tag"
      end

    elsif @matched
      return if @matched.type == :model and tracker.options[:ignore_model_output]

      message = msg("Unescaped ", msg_input(@matched), " in ", msg_code("content_tag"))

      add_result result

      warn :result => result,
        :warning_type => "Cross-Site Scripting",
        :warning_code => :xss_content_tag,
        :message => message,
        :user_input => @matched,
        :confidence => :medium,
        :link_path => "content_tag"
    end
  end