Brakeman does not appear to warn on render :inline content #672

oreoshake opened this Issue Jun 26, 2015 · 1 comment


None yet

2 participants


I put up an example and a semi-valid failing test case: master...oreoshake:render-inline

render :inline => "<%= xss.html_safe %>", :content_type => "text/html", :locals => {:xss => params[:xss]} is XSS but brakeman doesn't seem to catch it.


Ah yeah this came up before.

I think I can handle this by treating it like a normal render but the template is from the string...

@presidentbeef presidentbeef locked and limited conversation to collaborators Nov 13, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.