app/views/response/response.html.erb
Potentially unsafe model attribute in link_to href Open
Open
<%= link_to image_tag('external-link-16.png', :border => 0, :align => 'middle'), topic.link, :target => '_blank' %>- Read upRead up
- Exclude checks
Even though Rails will escape the link provided to link_to, values starting with javascript: or data: are unescaped and dangerous.
Brakeman will warn on if user values are used to provide the HREF value in link_to or if they are interpolated at the beginning of a string.
The --url-safe-methods option can be used to specify methods which make URLs safe.
See here for more details.