def check_for_immediate_xss exp
return :duplicate if duplicate? exp
if exp.node_type == :output
out = exp.value
elsif exp.node_type == :escaped_output
if raw_call? exp
out = exp.value.first_arg
elsif html_safe_call? exp
out = exp.value.target
end
end
return if call? out and ignore_call? out.target, out.method
if input = has_immediate_user_input?(out)
add_result exp
message = msg("Unescaped ", msg_input(input))
warn :template => @current_template,
:warning_type => "Cross-Site Scripting",
:warning_code => :cross_site_scripting,
:message => message,
:code => input.match,
:confidence => :high
elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
method = if call? match
match.method
else
nil
end
unless IGNORE_MODEL_METHODS.include? method
add_result exp
if likely_model_attribute? match
confidence = :high
else
confidence = :medium
end
message = "Unescaped model attribute"
link_path = "cross_site_scripting"
warning_code = :cross_site_scripting
if node_type?(out, :call, :safe_call, :attrasgn, :safe_attrasgn) && out.method == :to_json
message += " in JSON hash"
link_path += "_to_json"
warning_code = :xss_to_json
end
warn :template => @current_template,
:warning_type => "Cross-Site Scripting",
:warning_code => warning_code,
:message => message,
:code => match,
:confidence => confidence,
:link_path => link_path
end
else
false
end
end