class Brakeman::CheckRenderInline
Constants
- CONTENT_TYPES
Public Instance Methods
check_render(result)
click to toggle source
# File lib/brakeman/checks/check_render_inline.rb, line 14 def check_render result return unless original? result call = result[:call] if node_type? call, :render and (call.render_type == :text or call.render_type == :inline) unless call.render_type == :text and content_type_set? call[3] render_value = call[2] if input = has_immediate_user_input?(render_value) warn :result => result, :warning_type => "Cross-Site Scripting", :warning_code => :cross_site_scripting_inline, :message => msg("Unescaped ", msg_input(input), " rendered inline"), :user_input => input, :confidence => :high elsif input = has_immediate_model?(render_value) warn :result => result, :warning_type => "Cross-Site Scripting", :warning_code => :cross_site_scripting_inline, :message => "Unescaped model attribute rendered inline", :user_input => input, :confidence => :medium end end end end
content_type_set?(opts)
click to toggle source
# File lib/brakeman/checks/check_render_inline.rb, line 46 def content_type_set? opts if hash? opts content_type = hash_access(opts, :content_type) string? content_type and not CONTENT_TYPES.include? content_type.value end end
run_check()
click to toggle source
# File lib/brakeman/checks/check_render_inline.rb, line 6 def run_check setup tracker.find_call(:target => nil, :method => :render).each do |result| check_render result end end