Tagging a string as html safe may be a security risk. Open
label.html_safe + ' ' + column_sort_icon(grid, column).html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Tagging a string as html safe may be a security risk. Open
label.html_safe + ' ' + column_sort_icon(grid, column).html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like html_safe
,
raw
, and safe_concat
. These methods do not escape content. They
simply return a SafeBuffer containing the content as is. Instead,
use safe_join
to join content and escape it and concat to
concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Prefer string interpolation to string concatenation. Open
label.html_safe + ' ' + column_sort_icon(grid, column).html_safe
- Read upRead up
- Exclude checks
Checks for places where string concatenation can be replaced with string interpolation.
The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.
NOTE: When concatenation between two strings is broken over multiple
lines, this cop does not register an offense; instead,
Style/LineEndConcatenation
will pick up the offense if enabled.
Two modes are supported:
1. aggressive
style checks and corrects all occurrences of +
where
either the left or right side of +
is a string literal.
2. conservative
style on the other hand, checks and corrects only if
left side (receiver of +
method call) is a string literal.
This is useful when the receiver is some expression that returns string like Pathname
instead of a string literal.
Safety:
This cop is unsafe in aggressive
mode, as it cannot be guaranteed that
the receiver is actually a string, which can result in a false positive.
Example: Mode: aggressive (default)
# bad
email_with_name = user.name + ' <' + user.email + '>'
Pathname.new('/') + 'test'
# good
email_with_name = "#{user.name} <#{user.email}>"
email_with_name = format('%s <%s>', user.name, user.email)
"#{Pathname.new('/')}test"
# accepted, line-end concatenation
name = 'First' +
'Last'
Example: Mode: conservative
# bad
'Hello' + user.name
# good
"Hello #{user.name}"
user.name + '!!'
Pathname.new('/') + 'test'
Final newline missing. Open
end
- Read upRead up
- Exclude checks
Looks for trailing blank lines and a final newline in the source code.
Example: EnforcedStyle: final_newline (default)
# `final_newline` looks for one newline at the end of files.
# bad
class Foo; end
# EOF
# bad
class Foo; end # EOF
# good
class Foo; end
# EOF
Example: EnforcedStyle: finalblankline
# `final_blank_line` looks for one blank line followed by a new line
# at the end of files.
# bad
class Foo; end
# EOF
# bad
class Foo; end # EOF
# good
class Foo; end
# EOF
Omit the hash value. Open
htmx_options = { push_url: push_url, get: table_path, target: '#data-grid-table', swap: 'morph:innerHTML' }
- Read upRead up
- Exclude checks
Checks hash literal syntax.
It can enforce either the use of the class hash rocket syntax or the use of the newer Ruby 1.9 syntax (when applicable).
A separate offense is registered for each problematic pair.
The supported styles are:
- ruby19 - forces use of the 1.9 syntax (e.g.
{a: 1}
) when hashes have all symbols for keys - hash_rockets - forces use of hash rockets for all hashes
- nomixedkeys - simply checks for hashes with mixed syntaxes
- ruby19nomixed_keys - forces use of ruby 1.9 syntax and forbids mixed syntax hashes
This cop has EnforcedShorthandSyntax
option.
It can enforce either the use of the explicit hash value syntax or
the use of Ruby 3.1's hash value shorthand syntax.
The supported styles are:
- always - forces use of the 3.1 syntax (e.g. {foo:})
- never - forces use of explicit hash literal value
- either - accepts both shorthand and explicit use of hash literal value
- consistent - forces use of the 3.1 syntax only if all values can be omitted in the hash
Example: EnforcedStyle: ruby19 (default)
# bad
{:a => 2}
{b: 1, :c => 2}
# good
{a: 2, b: 1}
{:c => 2, 'd' => 2} # acceptable since 'd' isn't a symbol
{d: 1, 'e' => 2} # technically not forbidden
Example: EnforcedStyle: hash_rockets
# bad
{a: 1, b: 2}
{c: 1, 'd' => 5}
# good
{:a => 1, :b => 2}
Example: EnforcedStyle: nomixedkeys
# bad
{:a => 1, b: 2}
{c: 1, 'd' => 2}
# good
{:a => 1, :b => 2}
{c: 1, d: 2}
Example: EnforcedStyle: ruby19nomixed_keys
# bad
{:a => 1, :b => 2}
{c: 2, 'd' => 3} # should just use hash rockets
# good
{a: 1, b: 2}
{:c => 3, 'd' => 4}
Example: EnforcedShorthandSyntax: always (default)
# bad
{foo: foo, bar: bar}
# good
{foo:, bar:}
Example: EnforcedShorthandSyntax: never
# bad
{foo:, bar:}
# good
{foo: foo, bar: bar}
Example: EnforcedShorthandSyntax: either
# good
{foo: foo, bar: bar}
# good
{foo: foo, bar:}
# good
{foo:, bar:}
Example: EnforcedShorthandSyntax: consistent
# bad - `foo` and `bar` values can be omitted
{foo: foo, bar: bar}
# bad - `bar` value can be omitted
{foo:, bar: bar}
# bad - mixed syntaxes
{foo:, bar: baz}
# good
{foo:, bar:}
# good - can't omit `baz`
{foo: foo, bar: baz}
Omit the hash value. Open
Dragnet::Type::View.for(question.type, context: self).data_grid_display(answers, question, alt: alt)
- Read upRead up
- Exclude checks
Checks hash literal syntax.
It can enforce either the use of the class hash rocket syntax or the use of the newer Ruby 1.9 syntax (when applicable).
A separate offense is registered for each problematic pair.
The supported styles are:
- ruby19 - forces use of the 1.9 syntax (e.g.
{a: 1}
) when hashes have all symbols for keys - hash_rockets - forces use of hash rockets for all hashes
- nomixedkeys - simply checks for hashes with mixed syntaxes
- ruby19nomixed_keys - forces use of ruby 1.9 syntax and forbids mixed syntax hashes
This cop has EnforcedShorthandSyntax
option.
It can enforce either the use of the explicit hash value syntax or
the use of Ruby 3.1's hash value shorthand syntax.
The supported styles are:
- always - forces use of the 3.1 syntax (e.g. {foo:})
- never - forces use of explicit hash literal value
- either - accepts both shorthand and explicit use of hash literal value
- consistent - forces use of the 3.1 syntax only if all values can be omitted in the hash
Example: EnforcedStyle: ruby19 (default)
# bad
{:a => 2}
{b: 1, :c => 2}
# good
{a: 2, b: 1}
{:c => 2, 'd' => 2} # acceptable since 'd' isn't a symbol
{d: 1, 'e' => 2} # technically not forbidden
Example: EnforcedStyle: hash_rockets
# bad
{a: 1, b: 2}
{c: 1, 'd' => 5}
# good
{:a => 1, :b => 2}
Example: EnforcedStyle: nomixedkeys
# bad
{:a => 1, b: 2}
{c: 1, 'd' => 2}
# good
{:a => 1, :b => 2}
{c: 1, d: 2}
Example: EnforcedStyle: ruby19nomixed_keys
# bad
{:a => 1, :b => 2}
{c: 2, 'd' => 3} # should just use hash rockets
# good
{a: 1, b: 2}
{:c => 3, 'd' => 4}
Example: EnforcedShorthandSyntax: always (default)
# bad
{foo: foo, bar: bar}
# good
{foo:, bar:}
Example: EnforcedShorthandSyntax: never
# bad
{foo:, bar:}
# good
{foo: foo, bar: bar}
Example: EnforcedShorthandSyntax: either
# good
{foo: foo, bar: bar}
# good
{foo: foo, bar:}
# good
{foo:, bar:}
Example: EnforcedShorthandSyntax: consistent
# bad - `foo` and `bar` values can be omitted
{foo: foo, bar: bar}
# bad - `bar` value can be omitted
{foo:, bar: bar}
# bad - mixed syntaxes
{foo:, bar: baz}
# good
{foo:, bar:}
# good - can't omit `baz`
{foo: foo, bar: baz}