Issues - SpeciesFileGroup/taxonworks

Tagging a string as html safe may be a security risk.
Open

      content_tag(:td, "'#{otu.name}'" + (otu.new_record? ? '<br>(New)' : '').html_safe)

Found in app/helpers/batch_load/batch_load_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Use `if cached_map.blank?` instead of `unless cached_map.present?`.
Open

    return {} unless cached_map.present?

Found in app/helpers/cached_maps_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for code that can be written with simpler conditionals using Object#blank? defined by Active Support.

Interaction with Style/UnlessElse: The configuration of NotPresent will not produce an offense in the context of unless else if Style/UnlessElse is inabled. This is to prevent interference between the auto-correction of the two cops.

Example: NilOrEmpty: true (default)

# Converts usages of `nil? || empty?` to `blank?`

# bad
foo.nil? || foo.empty?
foo == nil || foo.empty?

# good
foo.blank?

Example: NotPresent: true (default)

# Converts usages of `!present?` to `blank?`

# bad
!foo.present?

# good
foo.blank?

Example: UnlessPresent: true (default)

# Converts usages of `unless present?` to `if blank?`

# bad
something unless foo.present?

# good
something if foo.blank?

# bad
unless foo.present?
  something
end

# good
if foo.blank?
  something
end

# good
def blank?
  !present?
end

Tagging a string as html safe may be a security risk.
Open

    s = collecting_event.date_range.uniq.join('&nbsp;&#8212;&nbsp;').html_safe

Found in app/helpers/collecting_events_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

     Utilities::Strings.nil_wrap(' [via ', collecting_event.verbatim_datum, ']')&.html_safe,

Found in app/helpers/collecting_events_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

unexpected token tCOMMA (Using Ruby 2.4 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)
Open

      data:,

Found in app/helpers/collection_objects_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This is not actually a cop. It does not inspect anything. It just provides methods to repack Parser's diagnostics/errors into RuboCop's offenses.

Tagging a string as html safe may be a security risk.
Open

      object.confidences.collect { |a| content_tag(:li, confidence_tag(a)) }.join.html_safe

Found in app/helpers/confidences_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Use 2 (not 0) spaces for indentation.
Open

def data_attribute_list_tag(object)

Found in app/helpers/data_attributes_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for indentation that doesn't use the specified number of spaces.

See also the IndentationConsistency cop which is the companion to this one.

Example:

# bad
class A
 def test
  puts 'hello'
 end
end

# good
class A
  def test
    puts 'hello'
  end
end

Example: IgnoredPatterns: ['^\s*module']

# bad
module A
class B
  def test
  puts 'hello'
  end
end
end

# good
module A
class B
  def test
    puts 'hello'
  end
end
end

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

    content_tag(:svg, {foo: nil, "viewBox" => depiction.svg_view_box, xmlns: "http://www.w3.org/2000/svg", 'xmlns:xlink' => "http://www.w3.org/1999/xlink"}) do

Found in app/helpers/depictions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Checks if uses of quotes match the configured preference.

Example: EnforcedStyle: single_quotes (default)

# bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

Example: EnforcedStyle: double_quotes

# bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"

Tagging a string as html safe may be a security risk.
Open

              asserted_distribution) ].join('&nbsp;').html_safe

Found in app/helpers/asserted_distributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

      link_to(otu_tag(asserted_distribution.otu).html_safe, asserted_distribution.otu),

Found in app/helpers/asserted_distributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

      link_to(geographic_area_tag(asserted_distribution.geographic_area).html_safe,

Found in app/helpers/asserted_distributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

    a.compact.join('. ').html_safe

Found in app/helpers/attributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

        tag.span(rp.parse_errors.join(sep).html_safe, class: [:feedback,'feedback-thin', 'feedback-danger'])

Found in app/helpers/batch_load/batch_load_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

    s.html_safe

Found in app/helpers/attributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Prefer symbols instead of strings as hash keys.
Open

      'type' => 'Feature',

Found in app/helpers/asserted_distributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

Example:

# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

Tagging a string as html safe may be a security risk.
Open

      Utilities::Strings.nil_wrap(nil, [collecting_event.minimum_elevation, collecting_event.maximum_elevation].compact.join('-'), 'm')&.html_safe,

Found in app/helpers/collecting_events_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

    ('Owned by ' + Utilities::Strings.authorship_sentence(a.collect{|b| b.name})).html_safe

Found in app/helpers/attributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

    str += options.join('<br>&nbsp;').html_safe

Found in app/helpers/batch_load/batch_load_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Prefer symbols instead of strings as hash keys.
Open

        'base' => {

Found in app/helpers/asserted_distributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

Example:

# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

Tagging a string as html safe may be a security risk.
Open

      ).html_safe

Found in app/helpers/depictions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

SpeciesFileGroup/taxonworks

Showing 12,636 of 12,636 total issues

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Use if cached_map.blank? instead of unless cached_map.present?. Open

Example: NilOrEmpty: true (default)

Example: NotPresent: true (default)

Example: UnlessPresent: true (default)

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

unexpected token tCOMMA (Using Ruby 2.4 parser; configure using TargetRubyVersion parameter, under AllCops) Open

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Use 2 (not 0) spaces for indentation. Open

Example:

Example: IgnoredPatterns: ['^\s*module']

Prefer single-quoted strings when you don't need string interpolation or special symbols. Open

Example: EnforcedStyle: single_quotes (default)

Example: EnforcedStyle: double_quotes

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Prefer symbols instead of strings as hash keys. Open

Example:

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

Tagging a string as html safe may be a security risk.
Open

Use `if cached_map.blank?` instead of `unless cached_map.present?`.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

unexpected token tCOMMA (Using Ruby 2.4 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)
Open

Tagging a string as html safe may be a security risk.
Open

Use 2 (not 0) spaces for indentation.
Open

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Prefer symbols instead of strings as hash keys.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Prefer symbols instead of strings as hash keys.
Open

Tagging a string as html safe may be a security risk.
Open