Class | Brakeman::CheckCrossSiteScripting |
In: |
lib/brakeman/checks/check_cross_site_scripting.rb
|
Parent: | Brakeman::BaseCheck |
This check looks for unescaped output in templates which contains parameters or model attributes.
For example:
<%= User.find(:id).name %> <%= params[:id] %>
IGNORE_MODEL_METHODS | = | Set[:average, :count, :maximum, :minimum, :sum, :id] | Model methods which are known to be harmless | |
MODEL_METHODS | = | Set[:all, :find, :first, :last, :new] | ||
IGNORE_LIKE | = | /^link_to_|(_path|_tag|_url)$/ | ||
HAML_HELPERS | = | Sexp.new(:colon2, Sexp.new(:const, :Haml), :Helpers) | ||
XML_HELPER | = | Sexp.new(:colon2, Sexp.new(:const, :Erubis), :XmlHelper) | ||
URI | = | Sexp.new(:const, :URI) | ||
CGI | = | Sexp.new(:const, :CGI) | ||
FORM_BUILDER | = | Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new) |