Sign upLogin

SpeciesFileGroup/taxonworks

View on GitHub
Star

Showing 12,636 of 12,636 total issues

Tagging a string as html safe may be a security risk.
Open

    ].compact.join(' ').html_safe
Severity: Minor
Found in app/helpers/loan_items_helper.rb by rubocop

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"
#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "
hi
"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
<b>hi</b>
"

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Tagging a string as html safe may be a security risk.
    Open

        r.join('<br/>').html_safe
    Severity: Minor
    Found in app/helpers/namespaces_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Tagging a string as html safe may be a security risk.
    Open

        link_to(note_tag(note).html_safe, metamorphosize_if(note.note_object)  )
    Severity: Minor
    Found in app/helpers/notes_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Prefer symbols instead of strings as hash keys.
    Open

          'xsi:type' => 'nex:ContinuousCells',
    Severity: Minor
    Found in app/helpers/observation_matrices/export/nexml_helper.rb by rubocop

    This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

    Example:

    # bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

    Prefer single-quoted strings when you don't need string interpolation or special symbols.
    Open

                  xml.state(id: "cs_#{c.id}_1", label: 'present', symbol: "1")
    Severity: Minor
    Found in app/helpers/observation_matrices/export/nexml_helper.rb by rubocop

    Checks if uses of quotes match the configured preference.

    Example: EnforcedStyle: single_quotes (default)

    # bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

    Example: EnforcedStyle: double_quotes

    # bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"

    Use if cit.present? instead of unless cit.blank?.
    Open

                  list += "<b>Citation:</b> #{cit}<br>\n" unless cit.blank?
    Severity: Minor
    Found in app/helpers/observation_matrices/export/otu_contents_helper.rb by rubocop

    This cop checks for code that can be written with simpler conditionals using Object#present? defined by Active Support.

    Interaction with Style/UnlessElse: The configuration of NotBlank will not produce an offense in the context of unless else if Style/UnlessElse is inabled. This is to prevent interference between the auto-correction of the two cops.

    Example: NotNilAndNotEmpty: true (default)

    # Converts usages of `!nil? && !empty?` to `present?`

# bad
!foo.nil? && !foo.empty?

# bad
foo != nil && !foo.empty?

# good
foo.present?

    Example: NotBlank: true (default)

    # Converts usages of `!blank?` to `present?`

# bad
!foo.blank?

# bad
not foo.blank?

# good
foo.present?

    Example: UnlessBlank: true (default)

    # Converts usages of `unless blank?` to `if present?`

# bad
something unless foo.blank?

# good
something if foo.present?

    Prefer symbols instead of strings as hash keys.
    Open

        '14' => 'E',
    Severity: Minor
    Found in app/helpers/observation_matrices_helper.rb by rubocop

    This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

    Example:

    # bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

    unexpected token tCOMMA (Using Ruby 2.4 parser; configure using TargetRubyVersion parameter, under AllCops)
    Open

            in: otu.observation_matrices.where(is_public:).select(:id, :name).inject({}){|hsh, m| hsh[m.id] = m.name; hsh;} || {},
    Severity: Minor
    Found in app/helpers/otus_helper.rb by rubocop

    This is not actually a cop. It does not inspect anything. It just provides methods to repack Parser's diagnostics/errors into RuboCop's offenses.

    Tagging a string as html safe may be a security risk.
    Open

        link_to(repository_tag(repository).html_safe, repository)
    Severity: Minor
    Found in app/helpers/repositories_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Tagging a string as html safe may be a security risk.
    Open

        ].compact.join(' ').html_safe
    Severity: Minor
    Found in app/helpers/repositories_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Prefer symbols instead of strings as hash keys.
    Open

          'tag-object-global-id' => object.to_global_id.to_s,
    Severity: Minor
    Found in app/helpers/tags_helper.rb by rubocop

    This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.

    Example:

    # bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }

# good
{ one: 1, two: 2, three: 3 }

    Tagging a string as html safe may be a security risk.
    Open

        selector_row.html_safe
    Severity: Minor
    Found in app/helpers/tasks/collecting_events/parse/stepwise/lat_long_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Tagging a string as html safe may be a security risk.
    Open

          content_tag(:span, (previous_taxon_name_distribution_link(object) + ' | ' + next_taxon_name_distribution_link(object)).html_safe)
    Severity: Minor
    Found in app/helpers/tasks/gis/otu_distribution_data_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Tagging a string as html safe may be a security risk.
    Open

        "[#{download.name}] #{download.description}".html_safe
    Severity: Minor
    Found in app/helpers/downloads_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Tagging a string as html safe may be a security risk.
    Open

        ].join(' ').html_safe
    Severity: Minor
    Found in app/helpers/field_occurrences_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Tagging a string as html safe may be a security risk.
    Open

                    ] }.flatten.join.html_safe)
    Severity: Minor
    Found in app/helpers/geographic_items_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    unexpected token tRPAREN (Using Ruby 2.4 parser; configure using TargetRubyVersion parameter, under AllCops)
    Open

          g = Export::Graph.new( object: )
    Severity: Minor
    Found in app/helpers/graph_helper.rb by rubocop

    This is not actually a cop. It does not inspect anything. It just provides methods to repack Parser's diagnostics/errors into RuboCop's offenses.

    Tagging a string as html safe may be a security risk.
    Open

            c.to_svg(xmargin: 0, ymargin: 0).html_safe,
    Severity: Minor
    Found in app/helpers/labels_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Tagging a string as html safe may be a security risk.
    Open

        if s = citation.citation_topics.collect{|t| label_for_controlled_vocabulary_term(t.topic)}.join('; ').html_safe
    Severity: Minor
    Found in app/helpers/lib/catalog_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    unexpected token tRPAREN (Using Ruby 2.4 parser; configure using TargetRubyVersion parameter, under AllCops)
    Open

        q = LoanItem.where(loan:)
    Severity: Minor
    Found in app/helpers/loans_helper.rb by rubocop

    This is not actually a cop. It does not inspect anything. It just provides methods to repack Parser's diagnostics/errors into RuboCop's offenses.

    Severity
    Category
    Status
    Source
    Language