Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Check link_to false negative when passing only one parameter #1339
Brakeman version: 4.5.0
Here's a code snipped that produces an xss vulnerability that isn't getting flagged by brakeman. I believe it's because the brakeman code is only running this check for rails versions '2.0.0' to '2.9.9.' It seems that link_to escaped its first argument in Rails 3, but I don't believe it does so in Rails 4 or 5.
Hi @swallenfriedman -
Thank you for reporting this.
I was confused at first, but I see the issue is that you are calling
Should be no problem to rectify this.
Just to clarify a little bit...
There are two checks for
What's a little crazy is that I added