Sign upLogin

Codeminer42/cm42-central

View on GitHub
Star
app/helpers/application_helper.rb

Summary

Maintainability
A
0 mins
Test Coverage

Tagging a string as html safe may be a security risk.
Open

      "window.CLOUDINARY_CONFIG = #{params.to_json};".html_safe,
Severity: Minor
Found in app/helpers/application_helper.rb by rubocop

This cop checks for the use of output safety calls like htmlsafe, raw, and safeconcat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"
#{user_content}
".html_safe
=> ActiveSupport::SafeBuffer
"
hi
"

# good
content_tag(:p, user_content)
=> ActiveSupport::SafeBuffer
"
<b>hi</b>
"

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
=> ActiveSupport::SafeBuffer
"
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
=> ActiveSupport::SafeBuffer
"
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
=> ActiveSupport::SafeBuffer
"
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
=> ActiveSupport::SafeBuffer
"
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
=> String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
<%= result %>
=> trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
=> ActiveSupport::SafeBuffer
"hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
=> ActiveSupport::SafeBuffer
"<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Use the new Ruby 1.9 hash syntax.
    Open

          :type=>'text/javascript'
    Severity: Minor
    Found in app/helpers/application_helper.rb by rubocop

    This cop checks hash literal syntax.

    It can enforce either the use of the class hash rocket syntax or the use of the newer Ruby 1.9 syntax (when applicable).

    A separate offense is registered for each problematic pair.

    The supported styles are:

    • ruby19 - forces use of the 1.9 syntax (e.g. {a: 1}) when hashes have all symbols for keys
    • hash_rockets - forces use of hash rockets for all hashes
    • nomixedkeys - simply checks for hashes with mixed syntaxes
    • ruby19nomixed_keys - forces use of ruby 1.9 syntax and forbids mixed syntax hashes

    Example:

    "EnforcedStyle => 'ruby19'"

# good
{a: 2, b: 1}
{:c => 2, 'd' => 2} # acceptable since 'd' isn't a symbol
{d: 1, 'e' => 2} # technically not forbidden

# bad
{:a => 2}
{b: 1, :c => 2}

    Example:

    "EnforcedStyle => 'hash_rockets'"

# good
{:a => 1, :b => 2}

# bad
{a: 1, b: 2}
{c: 1, 'd' => 5}

    Example:

    "EnforcedStyle => 'no_mixed_keys'"

# good
{:a => 1, :b => 2}
{c: 1, d: 2}

# bad
{:a => 1, b: 2}
{c: 1, 'd' => 2}

    Example:

    "EnforcedStyle => 'ruby19_no_mixed_keys'"

# good
{a: 1, b: 2}
{:c => 3, 'd' => 4}

# bad
{:a => 1, :b => 2}
{c: 2, 'd' => 3} # should just use hash rockets

    Freeze mutable objects assigned to constants.
    Open

      CLOUDINARY_JS_CONFIG_PARAMS = %i[
    api_key
    cloud_name
    private_cdn
    secure_distribution
    Severity: Minor
    Found in app/helpers/application_helper.rb by rubocop

    This cop checks whether some constant value isn't a mutable literal (e.g. array or hash).

    Example:

    # bad
CONST = [1, 2, 3]

# good
CONST = [1, 2, 3].freeze

    Surrounding space missing for operator =>.
    Open

          :type=>'text/javascript'
    Severity: Minor
    Found in app/helpers/application_helper.rb by rubocop

    There are no issues that match your filters.

    Category
    Status