check_cross_site_scripting flags Environment Variables as unsafe #939

JPrevost opened this Issue Sep 28, 2016 · 4 comments


None yet

2 participants


I've got code like:

<%= link_to("Thing", "#{ENV['SOME_URL']}") %>

Brakeman flags that as unsafe. That's not coming from a user, but a server admin.

Thoughts on whether this could be detected by brakeman as safe? Thanks!


Hi Jeremy,

I cannot reproduce this issue. I am fairly certain Brakeman does not warn about ENV. Can you share more about the warning?


Also, I don't mind doing the legwork on this but wanted to ask for guidance before digging in :)



Ah, yes it's warning about params[:q]. This will be fixed in #940

@presidentbeef presidentbeef locked and limited conversation to collaborators Feb 10, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.