def process_result result
call = result[:call] = result[:call].dup
@matched = false
url_arg = process call.second_arg
if check_argument? url_arg
url_arg = url_arg.first_arg
end
return if call? url_arg and ignore_call? url_arg.target, url_arg.method
if input = has_immediate_user_input?(url_arg)
message = msg("Unsafe ", msg_input(input), " in ", msg_code("link_to"), " href")
unless duplicate? result or call_on_params? url_arg or ignore_interpolation? url_arg, input.match
add_result result
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :xss_link_to_href,
:message => message,
:user_input => input,
:confidence => :high,
:link_path => "link_to_href"
end
elsif not tracker.options[:ignore_model_output] and input = has_immediate_model?(url_arg)
return if ignore_model_call? url_arg, input or duplicate? result
add_result result
message = msg("Potentially unsafe model attribute in ", msg_code("link_to"), " href")
warn :result => result,
:warning_type => "Cross-Site Scripting",
:warning_code => :xss_link_to_href,
:message => message,
:user_input => input,
:confidence => :weak,
:link_path => "link_to_href"
end
end