app/helpers/application_helper.rb
Tagging a string as html safe may be a security risk. Open
Open
"<div class='flash_#{type} alert alert-#{type}'>#{flash[type]}</div>".html_safe if flash[type]
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like htmlsafe, raw, and safeconcat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Rename is_available
to available?
. Open
Open
def is_available(user, owner_id)
- Read upRead up
- Exclude checks
This cop makes sure that predicates are named properly.
Example:
# bad
def is_even?(value)
end
# good
def even?(value)
end
# bad
def has_value?
end
# good
def value?
end
The use of eval
is a serious security risk. Open
Open
eval "#{l_user.role.name.delete('-')}.new"
- Read upRead up
- Exclude checks
This cop checks for the use of Kernel#eval
and Binding#eval
.
Example:
# bad
eval(something)
binding.eval(something)
Pass __FILE__
and __LINE__
to eval
method, as they are used by backtraces. Open
Open
eval "#{l_user.role.name.delete('-')}.new"
- Read upRead up
- Exclude checks
This cop checks eval
method usage. eval
can receive source location
metadata, that are filename and line number. The metadata is used by
backtraces. This cop recommends to pass the metadata to eval
method.
Example:
# bad
eval <<-RUBY
def do_something
end
RUBY
# bad
C.class_eval <<-RUBY
def do_something
end
RUBY
# good
eval <<-RUBY, binding, __FILE__, __LINE__ + 1
def do_something
end
RUBY
# good
C.class_eval <<-RUBY, __FILE__, __LINE__ + 1
def do_something
end
RUBY