Brakeman 错误 - 附近未转义的模型属性
Brakeman Error - Unescaped model attribute near
我收到很多错误如下
Unescaped model attribute near line 20: show_errors(Objective.new(objective_params), :name)
扩展视图
这是我的代码
module ApplicationHelper
# Error Helper for Form
def show_errors(object, field_name)
if object.errors.any? && object.errors.messages[field_name][0].present?
"<label class='text-error'>" + object.errors.messages[field_name][0] + "</label>"
else
return ""
end
end
end
来自 Brakeman Cross Site Scripting 文档:
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= some_method(cookie[:name]) %>
This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
最后一句话可能很重要。如果您确定您的值进入视图已转义,则此警告可能是 ignored/disabled.
我收到很多错误如下
Unescaped model attribute near line 20: show_errors(Objective.new(objective_params), :name)
扩展视图
这是我的代码
module ApplicationHelper
# Error Helper for Form
def show_errors(object, field_name)
if object.errors.any? && object.errors.messages[field_name][0].present?
"<label class='text-error'>" + object.errors.messages[field_name][0] + "</label>"
else
return ""
end
end
end
来自 Brakeman Cross Site Scripting 文档:
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= some_method(cookie[:name]) %>This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
最后一句话可能很重要。如果您确定您的值进入视图已转义,则此警告可能是 ignored/disabled.