Issues - SpeciesFileGroup/taxonworks

Tagging a string as html safe may be a security risk.
Open

    ].join.html_safe

Found in app/helpers/citations_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

    link_to(citation_tag(citation).html_safe, citation.citation_object.metamorphosize)

Found in app/helpers/citations_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Prefer symbols instead of strings as hash keys.
Open

          'id' => collecting_event.id,

Found in app/helpers/collecting_events_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

Example:

# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

Tagging a string as html safe may be a security risk.
Open

      collecting_event_autocomplete_tag(collecting_event, '; ').html_safe

Found in app/helpers/collecting_events_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

    a.compact.join('&nbsp;').html_safe

Found in app/helpers/containers_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

    link_to(container_tag(container.metamorphosize).html_safe, container.metamorphosize)

Found in app/helpers/containers_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Prefer symbols instead of strings as hash keys.
Open

          'type' => 'AssertedDistribution',

Found in app/helpers/asserted_distributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

Example:

# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

Prefer symbols instead of strings as hash keys.
Open

        'shape' => {

Found in app/helpers/asserted_distributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

Example:

# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

Tagging a string as html safe may be a security risk.
Open

    ('Created by ' + Utilities::Strings.authorship_sentence(a.collect{|b| b.name})).html_safe

Found in app/helpers/attributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

    [citation.citation_object.class.name, ': ', object_tag(citation.citation_object&.metamorphosize), ' in ', citation_source_body(citation)].compact.join.html_safe

Found in app/helpers/citations_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Tagging a string as html safe may be a security risk.
Open

        }.join.html_safe

Found in app/helpers/citations_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Prefer symbols instead of strings as hash keys.
Open

    return content_tag(:div, 'None', 'class' => 'navigation-item disable') if o.nil?

Found in app/helpers/collecting_events_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

Example:

# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

Prefer symbols instead of strings as hash keys.
Open

          'type' => 'CollectingEvent',

Found in app/helpers/collecting_events_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

Example:

# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

Tagging a string as html safe may be a security risk.
Open

    content_tag(:span, [c.x.round(4), c.y.round(4)].join('&nbsp;&#8212;&nbsp;').html_safe)

Found in app/helpers/collecting_events_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

unexpected token tRCURLY (Using Ruby 2.4 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)
Open

Found in app/helpers/collection_objects_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This is not actually a cop. It does not inspect anything. It just provides methods to repack Parser's diagnostics/errors into RuboCop's offenses.

Prefer symbols instead of strings as hash keys.
Open

      'confidence-default' => 'true',

Found in app/helpers/confidences_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

Example:

# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

Tagging a string as html safe may be a security risk.
Open

    content_tag(:span, title: MARKDOWN_HTML.render(content.text).html_safe  ) do

Found in app/helpers/contents_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

Redundant use of `Object#to_s` in interpolation.
Open

      s += ' ' + content_tag(:span, "#{d.to_s}&nbsp;#{'observation depiction'.pluralize(d)}".html_safe, class: [:feedback, 'feedback-secondary', 'feedback-thin'])

Found in app/helpers/descriptors_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for string conversion in string interpolation, which is redundant.

Example:

# bad

"result is #{something.to_s}"

Example:

# good

"result is #{something}"

Prefer symbols instead of strings as hash keys.
Open

        'is_absent' => asserted_distribution.is_absent

Found in app/helpers/asserted_distributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

Example:

# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

Tagging a string as html safe may be a security risk.
Open

      otu_tag(asserted_distribution.otu).html_safe,

Found in app/helpers/asserted_distributions_helper.rb by rubocop

Read up
Read up
Exclude checks
- Disable engine
- Disable check

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"#{user_content}".html_safe
# => ActiveSupport::SafeBuffer "hi"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>"

# bad
out = ""
out << "#{user_content}"
out << "#{user_content}"
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi"

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "<b>hi</b>
<b>hi</b>"

# bad
out = "trusted content".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"

# good
out = "trusted content".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "trusted_content<b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

SpeciesFileGroup/taxonworks

Showing 12,636 of 12,636 total issues

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Prefer symbols instead of strings as hash keys. Open

Example:

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Prefer symbols instead of strings as hash keys. Open

Example:

Prefer symbols instead of strings as hash keys. Open

Example:

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Prefer symbols instead of strings as hash keys. Open

Example:

Prefer symbols instead of strings as hash keys. Open

Example:

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

unexpected token tRCURLY (Using Ruby 2.4 parser; configure using TargetRubyVersion parameter, under AllCops) Open

Prefer symbols instead of strings as hash keys. Open

Example:

Tagging a string as html safe may be a security risk. Open

Example:

trusted content

trusted_content

trusted content

trusted_content

Redundant use of Object#to_s in interpolation. Open

Example:

Example:

Prefer symbols instead of strings as hash keys. Open

Example:

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Prefer symbols instead of strings as hash keys.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Prefer symbols instead of strings as hash keys.
Open

Prefer symbols instead of strings as hash keys.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Tagging a string as html safe may be a security risk.
Open

Prefer symbols instead of strings as hash keys.
Open

Prefer symbols instead of strings as hash keys.
Open

Tagging a string as html safe may be a security risk.
Open

unexpected token tRCURLY (Using Ruby 2.4 parser; configure using `TargetRubyVersion` parameter, under `AllCops`)
Open

Prefer symbols instead of strings as hash keys.
Open

Tagging a string as html safe may be a security risk.
Open

Redundant use of `Object#to_s` in interpolation.
Open

Prefer symbols instead of strings as hash keys.
Open

Tagging a string as html safe may be a security risk.
Open