Sign upLogin

ece517-p3/expertiza

View on GitHub
Star
app/helpers/application_helper.rb

Summary

Maintainability
A
0 mins
Test Coverage

Tagging a string as html safe may be a security risk.
Open

    "<div class='flash_#{type} alert alert-#{type}'>#{flash[type]}</div>".html_safe if flash[type]
Severity: Minor
Found in app/helpers/application_helper.rb by rubocop

This cop checks for the use of output safety calls like htmlsafe, raw, and safeconcat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.

Example:

user_content = "hi"

# bad
"
#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "
hi
"

# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "
<b>hi</b>
"

# bad
out = ""
out << "
  • #{user_content}
    • "
out << "
  • #{user_content}
    • "
out.html_safe
# => ActiveSupport::SafeBuffer "
  • hi
    • 

  • hi
    • "

# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
#    "
  • <b>hi</b>
    • 

  • <b>hi</b>
    • "

# bad
out = "
    trusted content
    ".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "
    trusted_content
    
hi"

# good
out = "
    trusted content
    ".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
#    "
    trusted_content
    <b>hi</b>"

# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>

# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"

# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
#    "<b>hi</b> <span>&lt;b&gt;hi&lt;/b&gt;</span>"

    Rename is_available to available?.
    Open

      def is_available(user, owner_id)
    Severity: Minor
    Found in app/helpers/application_helper.rb by rubocop

    This cop makes sure that predicates are named properly.

    Example:

    # bad
def is_even?(value)
end

# good
def even?(value)
end

# bad
def has_value?
end

# good
def value?
end

    The use of eval is a serious security risk.
    Open

        eval "#{l_user.role.name.delete('-')}.new"
    Severity: Minor
    Found in app/helpers/application_helper.rb by rubocop

    This cop checks for the use of Kernel#eval and Binding#eval.

    Example:

    # bad

eval(something)
binding.eval(something)

    Pass __FILE__ and __LINE__ to eval method, as they are used by backtraces.
    Open

        eval "#{l_user.role.name.delete('-')}.new"
    Severity: Minor
    Found in app/helpers/application_helper.rb by rubocop

    This cop checks eval method usage. eval can receive source location metadata, that are filename and line number. The metadata is used by backtraces. This cop recommends to pass the metadata to eval method.

    Example:

    # bad
eval <<-RUBY
  def do_something
  end
RUBY

# bad
C.class_eval <<-RUBY
  def do_something
  end
RUBY

# good
eval <<-RUBY, binding, __FILE__, __LINE__ + 1
  def do_something
  end
RUBY

# good
C.class_eval <<-RUBY, __FILE__, __LINE__ + 1
  def do_something
  end
RUBY

    There are no issues that match your filters.

    Category
    Status