Sign upLogin

delonnewman/dragnet

View on GitHub
Star
app/helpers/data_grid_helper.rb

Summary

Maintainability
A
0 mins
Test Coverage

Tagging a string as html safe may be a security risk.
Open

      label.html_safe + ' ' + column_sort_icon(grid, column).html_safe
Severity: Minor
Found in app/helpers/data_grid_helper.rb by rubocop

This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"
#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "
hi
"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
<b>hi</b>
"

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Tagging a string as html safe may be a security risk.
    Open

          label.html_safe + ' ' + column_sort_icon(grid, column).html_safe
    Severity: Minor
    Found in app/helpers/data_grid_helper.rb by rubocop

    This cop checks for the use of output safety calls like html_safe, raw, and safe_concat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

    Example:

    user_content = "hi"

# bad
"
    #{user_content}
    ".html_safe
# => ActiveSupport::SafeBuffer "
    hi
    "

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
    <b>hi</b>
    "

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Prefer string interpolation to string concatenation.
    Open

          label.html_safe + ' ' + column_sort_icon(grid, column).html_safe
    Severity: Minor
    Found in app/helpers/data_grid_helper.rb by rubocop

    Checks for places where string concatenation can be replaced with string interpolation.

    The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.

    NOTE: When concatenation between two strings is broken over multiple lines, this cop does not register an offense; instead, Style/LineEndConcatenation will pick up the offense if enabled.

    Two modes are supported: 1. aggressive style checks and corrects all occurrences of + where either the left or right side of + is a string literal. 2. conservative style on the other hand, checks and corrects only if left side (receiver of + method call) is a string literal. This is useful when the receiver is some expression that returns string like Pathname instead of a string literal.

    Safety:

    This cop is unsafe in aggressive mode, as it cannot be guaranteed that the receiver is actually a string, which can result in a false positive.

    Example: Mode: aggressive (default)

    # bad
email_with_name = user.name + ' <' + user.email + '>'
Pathname.new('/') + 'test'

# good
email_with_name = "#{user.name} <#{user.email}>"
email_with_name = format('%s <%s>', user.name, user.email)
"#{Pathname.new('/')}test"

# accepted, line-end concatenation
name = 'First' +
  'Last'

    Example: Mode: conservative

    # bad
'Hello' + user.name

# good
"Hello #{user.name}"
user.name + '!!'
Pathname.new('/') + 'test'

    Final newline missing.
    Open

    end
    Severity: Minor
    Found in app/helpers/data_grid_helper.rb by rubocop

    Looks for trailing blank lines and a final newline in the source code.

    Example: EnforcedStyle: final_newline (default)

    # `final_newline` looks for one newline at the end of files.

# bad
class Foo; end

# EOF

# bad
class Foo; end # EOF

# good
class Foo; end
# EOF

    Example: EnforcedStyle: finalblankline

    # `final_blank_line` looks for one blank line followed by a new line
# at the end of files.

# bad
class Foo; end
# EOF

# bad
class Foo; end # EOF

# good
class Foo; end

# EOF

    Omit the hash value.
    Open

        htmx_options = { push_url: push_url, get: table_path, target: '#data-grid-table', swap: 'morph:innerHTML' }
    Severity: Minor
    Found in app/helpers/data_grid_helper.rb by rubocop

    Checks hash literal syntax.

    It can enforce either the use of the class hash rocket syntax or the use of the newer Ruby 1.9 syntax (when applicable).

    A separate offense is registered for each problematic pair.

    The supported styles are:

    • ruby19 - forces use of the 1.9 syntax (e.g. {a: 1}) when hashes have all symbols for keys
    • hash_rockets - forces use of hash rockets for all hashes
    • nomixedkeys - simply checks for hashes with mixed syntaxes
    • ruby19nomixed_keys - forces use of ruby 1.9 syntax and forbids mixed syntax hashes

    This cop has EnforcedShorthandSyntax option. It can enforce either the use of the explicit hash value syntax or the use of Ruby 3.1's hash value shorthand syntax.

    The supported styles are:

    • always - forces use of the 3.1 syntax (e.g. {foo:})
    • never - forces use of explicit hash literal value
    • either - accepts both shorthand and explicit use of hash literal value
    • consistent - forces use of the 3.1 syntax only if all values can be omitted in the hash

    Example: EnforcedStyle: ruby19 (default)

    # bad
{:a => 2}
{b: 1, :c => 2}

# good
{a: 2, b: 1}
{:c => 2, 'd' => 2} # acceptable since 'd' isn't a symbol
{d: 1, 'e' => 2} # technically not forbidden

    Example: EnforcedStyle: hash_rockets

    # bad
{a: 1, b: 2}
{c: 1, 'd' => 5}

# good
{:a => 1, :b => 2}

    Example: EnforcedStyle: nomixedkeys

    # bad
{:a => 1, b: 2}
{c: 1, 'd' => 2}

# good
{:a => 1, :b => 2}
{c: 1, d: 2}

    Example: EnforcedStyle: ruby19nomixed_keys

    # bad
{:a => 1, :b => 2}
{c: 2, 'd' => 3} # should just use hash rockets

# good
{a: 1, b: 2}
{:c => 3, 'd' => 4}

    Example: EnforcedShorthandSyntax: always (default)

    # bad
{foo: foo, bar: bar}

# good
{foo:, bar:}

    Example: EnforcedShorthandSyntax: never

    # bad
{foo:, bar:}

# good
{foo: foo, bar: bar}

    Example: EnforcedShorthandSyntax: either

    # good
{foo: foo, bar: bar}

# good
{foo: foo, bar:}

# good
{foo:, bar:}

    Example: EnforcedShorthandSyntax: consistent

    # bad - `foo` and `bar` values can be omitted
{foo: foo, bar: bar}

# bad - `bar` value can be omitted
{foo:, bar: bar}

# bad - mixed syntaxes
{foo:, bar: baz}

# good
{foo:, bar:}

# good - can't omit `baz`
{foo: foo, bar: baz}

    Omit the hash value.
    Open

        Dragnet::Type::View.for(question.type, context: self).data_grid_display(answers, question, alt: alt)
    Severity: Minor
    Found in app/helpers/data_grid_helper.rb by rubocop

    Checks hash literal syntax.

    It can enforce either the use of the class hash rocket syntax or the use of the newer Ruby 1.9 syntax (when applicable).

    A separate offense is registered for each problematic pair.

    The supported styles are:

    • ruby19 - forces use of the 1.9 syntax (e.g. {a: 1}) when hashes have all symbols for keys
    • hash_rockets - forces use of hash rockets for all hashes
    • nomixedkeys - simply checks for hashes with mixed syntaxes
    • ruby19nomixed_keys - forces use of ruby 1.9 syntax and forbids mixed syntax hashes

    This cop has EnforcedShorthandSyntax option. It can enforce either the use of the explicit hash value syntax or the use of Ruby 3.1's hash value shorthand syntax.

    The supported styles are:

    • always - forces use of the 3.1 syntax (e.g. {foo:})
    • never - forces use of explicit hash literal value
    • either - accepts both shorthand and explicit use of hash literal value
    • consistent - forces use of the 3.1 syntax only if all values can be omitted in the hash

    Example: EnforcedStyle: ruby19 (default)

    # bad
{:a => 2}
{b: 1, :c => 2}

# good
{a: 2, b: 1}
{:c => 2, 'd' => 2} # acceptable since 'd' isn't a symbol
{d: 1, 'e' => 2} # technically not forbidden

    Example: EnforcedStyle: hash_rockets

    # bad
{a: 1, b: 2}
{c: 1, 'd' => 5}

# good
{:a => 1, :b => 2}

    Example: EnforcedStyle: nomixedkeys

    # bad
{:a => 1, b: 2}
{c: 1, 'd' => 2}

# good
{:a => 1, :b => 2}
{c: 1, d: 2}

    Example: EnforcedStyle: ruby19nomixed_keys

    # bad
{:a => 1, :b => 2}
{c: 2, 'd' => 3} # should just use hash rockets

# good
{a: 1, b: 2}
{:c => 3, 'd' => 4}

    Example: EnforcedShorthandSyntax: always (default)

    # bad
{foo: foo, bar: bar}

# good
{foo:, bar:}

    Example: EnforcedShorthandSyntax: never

    # bad
{foo:, bar:}

# good
{foo: foo, bar: bar}

    Example: EnforcedShorthandSyntax: either

    # good
{foo: foo, bar: bar}

# good
{foo: foo, bar:}

# good
{foo:, bar:}

    Example: EnforcedShorthandSyntax: consistent

    # bad - `foo` and `bar` values can be omitted
{foo: foo, bar: bar}

# bad - `bar` value can be omitted
{foo:, bar: bar}

# bad - mixed syntaxes
{foo:, bar: baz}

# good
{foo:, bar:}

# good - can't omit `baz`
{foo: foo, bar: baz}

    There are no issues that match your filters.

    Category
    Status