Sign upLogin

SpeciesFileGroup/taxonworks

View on GitHub
Star
app/helpers/citation_topics_helper.rb

Summary

Maintainability
A
0 mins
Test Coverage

Tagging a string as html safe may be a security risk.
Open

    str.html_safe
Severity: Minor
Found in app/helpers/citation_topics_helper.rb by rubocop

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"
#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "
hi
"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
<b>hi</b>
"

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Use citation.pages.present? instead of !citation.pages.blank?.
    Open

        str = str + ": #{citation.pages}." if !citation.pages.blank?
    Severity: Minor
    Found in app/helpers/citation_topics_helper.rb by rubocop

    This cop checks for code that can be written with simpler conditionals using Object#present? defined by Active Support.

    Interaction with Style/UnlessElse: The configuration of NotBlank will not produce an offense in the context of unless else if Style/UnlessElse is inabled. This is to prevent interference between the auto-correction of the two cops.

    Example: NotNilAndNotEmpty: true (default)

    # Converts usages of `!nil? && !empty?` to `present?`

# bad
!foo.nil? && !foo.empty?

# bad
foo != nil && !foo.empty?

# good
foo.present?

    Example: NotBlank: true (default)

    # Converts usages of `!blank?` to `present?`

# bad
!foo.blank?

# bad
not foo.blank?

# good
foo.present?

    Example: UnlessBlank: true (default)

    # Converts usages of `unless blank?` to `if present?`

# bad
something unless foo.blank?

# good
something if foo.present?

    Tagging a string as html safe may be a security risk.
    Open

        str = [citation_topic.topic.name, ': ', object_tag(citation.citation_object.metamorphosize).html_safe, ' in ', citation_string].join
    Severity: Minor
    Found in app/helpers/citation_topics_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    There are no issues that match your filters.

    Category
    Status