def setup
@ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
:field_field, :fields_for, :h, :hidden_field,
:hidden_field, :hidden_field_tag, :image_tag, :label,
:link_to, :mail_to, :radio_button, :select,
:submit_tag, :text_area, :text_field,
:text_field_tag, :url_encode, :u, :url_for,
:will_paginate].merge tracker.options[:safe_methods]
@models = tracker.models.keys
@inspect_arguments = tracker.options[:check_arguments]
@known_dangerous = Set[:truncate, :concat]
if version_between? "2.0.0", "3.0.5"
@known_dangerous << :auto_link
elsif version_between? "3.0.6", "3.0.99"
@ignore_methods << :auto_link
end
if version_between? "2.0.0", "2.3.14" or tracker.config.gem_version('rails-html-sanitizer''rails-html-sanitizer') == '1.0.2'
@known_dangerous << :strip_tags
end
if tracker.config.has_gem? 'rails-html-sanitizer''rails-html-sanitizer' and
version_between? "1.0.0", "1.0.2", tracker.config.gem_version('rails-html-sanitizer''rails-html-sanitizer')
@known_dangerous << :sanitize
end
json_escape_on = false
initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
if tracker.config.escape_html_entities_in_json?
json_escape_on = true
elsif version_between? "4.0.0", "9.9.9"
json_escape_on = true
end
if !json_escape_on or version_between? "0.0.0", "2.0.99"
@known_dangerous << :to_json
Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
else
@safe_input_attributes << :to_json
Brakeman.debug("Automatic to_json escaping is enabled.")
end
end