New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS False Positive #1081
Comments
Hi, Can you please run with either Additionally, please show where The reason Brakeman warns on use of Also, |
Thanks for the quick answer! -f plain output:
More context:
File: app/views/layouts/application.html.erb
|
Incidentally closed by #1093 |
I ran the scan against an app and I got the following result:
Medium | StrategiesController | show | Cross Site Scripting | Unsafe model attribute in link_to href near line 33: link_to(User.where(:id => Strategy.friendly.find..
The code is:
I tried to exploit the XSS, but I couldn't.
I think the
sanitize link_to name, link_url
andthe_link.html_safe
make the code safe.IMHO it's a false positive and the detection method of XSS can be improved. Anyhow if I'm wrong, please let me know.
The text was updated successfully, but these errors were encountered: