app/views/events/_event.html.erb
Potentially unsafe model attribute in link_to href Open
Open
<p><strong>URL: </strong><%= link_to @event.url, @event.url, :class => 'branco' if @event.url.present? %></p>
- Read upRead up
- Exclude checks
Even though Rails will escape the link provided to link_to
, values starting with javascript:
or data:
are unescaped and dangerous.
Brakeman will warn on if user values are used to provide the HREF value in link_to
or if they are interpolated at the beginning of a string.
The --url-safe-methods
option can be used to specify methods which make URLs safe.
See here for more details.