Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

content_tag no longer considered dangerous #1778

Closed
oreoshake opened this issue May 9, 2023 · 1 comment · Fixed by #1779
Closed

content_tag no longer considered dangerous #1778

oreoshake opened this issue May 9, 2023 · 1 comment · Fixed by #1779

Comments

@oreoshake
Copy link
Contributor

oreoshake commented May 9, 2023
edited
Loading

Background

Brakeman version: 5.1.2
Rails version: 6.1.7.3
Ruby version: 2.7.5

Link to Rails application code: #1778

False Positive

Full warning from Brakeman:

Confidence: High
Category: Cross-Site Scripting
Check: ContentTag
Message: Unescaped parameter value in `content_tag`
Code: content_tag(:tr, foo(mf), params[:foo] => params[:bar])

Relevant code:

helper.content_tag :p, "<script>alert(1)</script>", "<script>&'\"" => "<script>&'\""

Why might this be a false positive?

The return value seems to gsub out the control characters for _ in attribute names now.

=> "<p _script____=\"&lt;script&gt;&amp;&#39;&quot;\">&lt;script&gt;alert(1)&lt;/script&gt;</p>"

I haven't really tracked down when this changed. I thought I did, but no.
@presidentbeef
Copy link
Owner

I think it was

rails/rails@5c7dae5

released in Rails 6.1.6

presidentbeef added a commit that referenced this issue May 18, 2023
@presidentbeef
No attribute name XSS warning in Rails 6.1.6+
7590912 
Fixes #1778
@presidentbeef presidentbeef mentioned this issue May 18, 2023
Merged
presidentbeef added a commit that referenced this issue May 18, 2023
@presidentbeef
No attribute name XSS warning in Rails 6.1.6+ (#1779)
b4d07f8 
Fixes #1778
@shleeable shleeable mentioned this issue May 29, 2023
Closed
Repository owner locked and limited conversation to collaborators May 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Avoid warning about unescaped attribute names in content_tag for Rails 6.1.6+ presidentbeef/brakeman
2 participants
@presidentbeef @oreoshake