Tagging a string as html safe may be a security risk. Open
( content_tag('clip-path', depiction.svg_clip, id: anchor ).html_safe +
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Tagging a string as html safe may be a security risk. Open
).html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Tagging a string as html safe may be a security risk. Open
content_tag(:image, href: depiction.image.image_file.url, 'clip-path' => "url(##{anchor})" ).html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Prefer symbols instead of strings as hash keys. Open
content_tag(:svg, {foo: nil, "viewBox" => depiction.svg_view_box, xmlns: "http://www.w3.org/2000/svg", 'xmlns:xlink' => "http://www.w3.org/1999/xlink"}) do
- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }
Prefer single-quoted strings when you don't need string interpolation or special symbols. Open
content_tag(:svg, {foo: nil, "viewBox" => depiction.svg_view_box, xmlns: "http://www.w3.org/2000/svg", 'xmlns:xlink' => "http://www.w3.org/1999/xlink"}) do
- Read upRead up
- Exclude checks
Checks if uses of quotes match the configured preference.
Example: EnforcedStyle: single_quotes (default)
# bad
"No special symbols"
"No string interpolation"
"Just text"
# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"
Example: EnforcedStyle: double_quotes
# bad
'Just some text'
'No special chars or interpolation'
# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"
Prefer symbols instead of strings as hash keys. Open
content_tag(:image, href: depiction.image.image_file.url, 'clip-path' => "url(##{anchor})" ).html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }
Prefer single-quoted strings when you don't need string interpolation or special symbols. Open
content_tag(:svg, {foo: nil, "viewBox" => depiction.svg_view_box, xmlns: "http://www.w3.org/2000/svg", 'xmlns:xlink' => "http://www.w3.org/1999/xlink"}) do
- Read upRead up
- Exclude checks
Checks if uses of quotes match the configured preference.
Example: EnforcedStyle: single_quotes (default)
# bad
"No special symbols"
"No string interpolation"
"Just text"
# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"
Example: EnforcedStyle: double_quotes
# bad
'Just some text'
'No special chars or interpolation'
# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"
Prefer symbols instead of strings as hash keys. Open
content_tag(:svg, {foo: nil, "viewBox" => depiction.svg_view_box, xmlns: "http://www.w3.org/2000/svg", 'xmlns:xlink' => "http://www.w3.org/1999/xlink"}) do
- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }
Prefer single-quoted strings when you don't need string interpolation or special symbols. Open
content_tag(:svg, {foo: nil, "viewBox" => depiction.svg_view_box, xmlns: "http://www.w3.org/2000/svg", 'xmlns:xlink' => "http://www.w3.org/1999/xlink"}) do
- Read upRead up
- Exclude checks
Checks if uses of quotes match the configured preference.
Example: EnforcedStyle: single_quotes (default)
# bad
"No special symbols"
"No string interpolation"
"Just text"
# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"
Example: EnforcedStyle: double_quotes
# bad
'Just some text'
'No special chars or interpolation'
# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"