/
avoid-content-tag.yaml
35 lines (35 loc) · 1.11 KB
/
avoid-content-tag.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rules:
- id: avoid-content-tag
message: >-
'content_tag' exhibits unintuitive escaping behavior and may accidentally
expose your application to cross-site scripting. If using Rails 2, only
attribute values are escaped. If using Rails 3, content and attribute values
are escaped. Tag and attribute names are never escaped. Because of this,
it is recommended to use 'html_safe' if you must render raw HTML data.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
source-rule-url: https://brakemanscanner.org/docs/warning_types/content_tag/
references:
- https://brakemanscanner.org/docs/warning_types/content_tag/
category: security
technology:
- rails
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
languages: [generic]
paths:
include:
- '*.erb'
severity: WARNING
patterns:
- pattern-inside: <%= ... %>
- pattern: content_tag