Tagging a string as html safe may be a security risk. Open
[citation.citation_object.class.name, ': ', label_for(citation.citation_object&.metamorphosize), ' in ', citation_source_body_label(citation)].compact.join.html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Tagging a string as html safe may be a security risk. Open
}.join.html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Tagging a string as html safe may be a security risk. Open
link_to(citation_tag(citation).html_safe, citation.citation_object.metamorphosize)
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Tagging a string as html safe may be a security risk. Open
[citation.citation_object.class.name, ': ', object_tag(citation.citation_object&.metamorphosize), ' in ', citation_source_body(citation)].compact.join.html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Tagging a string as html safe may be a security risk. Open
].compact.join(' ').html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Use ct.pages.present?
instead of !ct.pages.blank?
. Open
content_tag(:span, (controlled_vocabulary_term_tag(ct.topic.metamorphosize) + (!ct.pages.blank? ? ": #{ct.pages}" : '')), class: [:annotation__citation_topic])
- Read upRead up
- Exclude checks
This cop checks for code that can be written with simpler conditionals
using Object#present?
defined by Active Support.
Interaction with Style/UnlessElse
:
The configuration of NotBlank
will not produce an offense in the
context of unless else
if Style/UnlessElse
is inabled. This is
to prevent interference between the auto-correction of the two cops.
Example: NotNilAndNotEmpty: true (default)
# Converts usages of `!nil? && !empty?` to `present?`
# bad
!foo.nil? && !foo.empty?
# bad
foo != nil && !foo.empty?
# good
foo.present?
Example: NotBlank: true (default)
# Converts usages of `!blank?` to `present?`
# bad
!foo.blank?
# bad
not foo.blank?
# good
foo.present?
Example: UnlessBlank: true (default)
# Converts usages of `unless blank?` to `if present?`
# bad
something unless foo.blank?
# good
something if foo.present?
Tagging a string as html safe may be a security risk. Open
].join.html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Use ct.pages.present?
instead of !ct.pages.blank?
. Open
label_for_controlled_vocabulary_term(ct.topic.metamorphosize) + (!ct.pages.blank? ? ": #{ct.pages}" : '')
- Read upRead up
- Exclude checks
This cop checks for code that can be written with simpler conditionals
using Object#present?
defined by Active Support.
Interaction with Style/UnlessElse
:
The configuration of NotBlank
will not produce an offense in the
context of unless else
if Style/UnlessElse
is inabled. This is
to prevent interference between the auto-correction of the two cops.
Example: NotNilAndNotEmpty: true (default)
# Converts usages of `!nil? && !empty?` to `present?`
# bad
!foo.nil? && !foo.empty?
# bad
foo != nil && !foo.empty?
# good
foo.present?
Example: NotBlank: true (default)
# Converts usages of `!blank?` to `present?`
# bad
!foo.blank?
# bad
not foo.blank?
# good
foo.present?
Example: UnlessBlank: true (default)
# Converts usages of `unless blank?` to `if present?`
# bad
something unless foo.blank?
# good
something if foo.present?
Similar blocks of code found in 5 locations. Consider refactoring. Open
def citation_list_tag(object)
return nil unless object.has_citations? && object.citations.any?
content_tag(:h3, 'Citations') +
content_tag(:ul, class: 'annotations__citation_list') do
object.citations.collect{|t|
- Read upRead up
Duplicated Code
Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:
Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).
Tuning
This issue has a mass of 32.
We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.
The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.
If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.
See codeclimate-duplication
's documentation for more information about tuning the mass threshold in your .codeclimate.yml
.
Refactorings
- Extract Method
- Extract Class
- Form Template Method
- Introduce Null Object
- Pull Up Method
- Pull Up Field
- Substitute Algorithm
Further Reading
- Don't Repeat Yourself on the C2 Wiki
- Duplicated Code on SourceMaking
- Refactoring: Improving the Design of Existing Code by Martin Fowler. Duplicated Code, p76