Tagging a string as html safe may be a security risk. Open
Maruku.new(text).to_html.html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like htmlsafe, raw, and safeconcat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Use if obj.errors.blank?
instead of unless obj.errors.present?
. Open
return unless obj.errors.present?
- Read upRead up
- Exclude checks
This cops checks for code that can be changed to blank?
.
Settings:
NilOrEmpty: Convert checks for nil
or empty?
to blank?
NotPresent: Convert usages of not present?
to blank?
UnlessPresent: Convert usages of unless
present?
to blank?
Example:
# NilOrEmpty: true
# bad
foo.nil? || foo.empty?
foo == nil || foo.empty?
# good
foo.blank?
# NotPresent: true
# bad
!foo.present?
# good
foo.blank?
# UnlessPresent: true
# bad
something unless foo.present?
unless foo.present?
something
end
# good
something if foo.blank?
if foo.blank?
something
end
Tagging a string as html safe may be a security risk. Open
raw string.gsub(/#{Regexp.escape(term).gsub(/\\\s/, '|')}/i, '<mark>\0</mark>')
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like htmlsafe, raw, and safeconcat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Tagging a string as html safe may be a security risk. Open
strip_markdown(text).gsub(/\{\{|\}\}/, "{{" => "<mark>", "}}" => "</mark>").html_safe
- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like htmlsafe, raw, and safeconcat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"
Missing magic comment # frozen_string_literal: true
. Open
module ApplicationHelper
- Read upRead up
- Exclude checks
This cop is designed to help upgrade to Ruby 3.0. It will add the
comment # frozen_string_literal: true
to the top of files to
enable frozen string literals. Frozen string literals may be default
in Ruby 3.0. The comment will be added below a shebang and encoding
comment. The frozen string literal comment is only valid in Ruby 2.3+.
Example: EnforcedStyle: when_needed (default)
# The `when_needed` style will add the frozen string literal comment
# to files only when the `TargetRubyVersion` is set to 2.3+.
# bad
module Foo
# ...
end
# good
# frozen_string_literal: true
module Foo
# ...
end
Example: EnforcedStyle: always
# The `always` style will always add the frozen string literal comment
# to a file, regardless of the Ruby version or if `freeze` or `<<` are
# called on a string literal.
# bad
module Bar
# ...
end
# good
# frozen_string_literal: true
module Bar
# ...
end
Example: EnforcedStyle: never
# The `never` will enforce that the frozen string literal comment does
# not exist in a file.
# bad
# frozen_string_literal: true
module Baz
# ...
end
# good
module Baz
# ...
end
Use safe navigation (&.
) instead of checking if an object exists before calling the method. Open
url.gsub(/(^https?:\/\/(www.)?)|(\/$)/, "") if url
- Read upRead up
- Exclude checks
This cop transforms usages of a method call safeguarded by a non nil
check for the variable whose method is being called to
safe navigation (&.
).
Configuration option: ConvertCodeThatCanStartToReturnNil
The default for this is false
. When configured to true
, this will
check for code in the format !foo.nil? && foo.bar
. As it is written,
the return of this code is limited to false
and whatever the return
of the method is. If this is converted to safe navigation,
foo&.bar
can start returning nil
as well as what the method
returns.
Example:
# bad
foo.bar if foo
foo.bar(param1, param2) if foo
foo.bar { |e| e.something } if foo
foo.bar(param) { |e| e.something } if foo
foo.bar if !foo.nil?
foo.bar unless !foo
foo.bar unless foo.nil?
foo && foo.bar
foo && foo.bar(param1, param2)
foo && foo.bar { |e| e.something }
foo && foo.bar(param) { |e| e.something }
# good
foo&.bar
foo&.bar(param1, param2)
foo&.bar { |e| e.something }
foo&.bar(param) { |e| e.something }
foo.nil? || foo.bar
!foo || foo.bar
# Methods that `nil` will `respond_to?` should not be converted to
# use safe navigation
foo.to_i if foo
Always use raise
to signal exceptions. Open
fail ArgumentError, "Actions supported: :new and :updated"
- Read upRead up
- Exclude checks
This cop checks for uses of fail
and raise
.
Example: EnforcedStyle: only_raise (default)
# The `only_raise` style enforces the sole use of `raise`.
# bad
begin
fail
rescue Exception
# handle it
end
def watch_out
fail
rescue Exception
# handle it
end
Kernel.fail
# good
begin
raise
rescue Exception
# handle it
end
def watch_out
raise
rescue Exception
# handle it
end
Kernel.raise
Example: EnforcedStyle: only_fail
# The `only_fail` style enforces the sole use of `fail`.
# bad
begin
raise
rescue Exception
# handle it
end
def watch_out
raise
rescue Exception
# handle it
end
Kernel.raise
# good
begin
fail
rescue Exception
# handle it
end
def watch_out
fail
rescue Exception
# handle it
end
Kernel.fail
Example: EnforcedStyle: semantic
# The `semantic` style enforces the use of `fail` to signal an
# exception, then will use `raise` to trigger an offense after
# it has been rescued.
# bad
begin
raise
rescue Exception
# handle it
end
def watch_out
# Error thrown
rescue Exception
fail
end
Kernel.fail
Kernel.raise
# good
begin
fail
rescue Exception
# handle it
end
def watch_out
fail
rescue Exception
raise 'Preferably with descriptive message'
end
explicit_receiver.fail
explicit_receiver.raise