ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag
semgrep
Author
6,305
Download Count*
License
'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use 'html_safe'. Ensure no external data enters the HTML-safe string!
Run Locally
Run in CI
Defintion
rules:
- id: avoid-content-tag
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_content_tag.rb
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
references:
- https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown
- https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/
category: security
technology:
- rails
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
message: "'content_tag()' bypasses HTML escaping for some portion of the
content. If external data can reach here, this exposes your application to
cross-site scripting (XSS) attacks. Ensure no external data reaches here.
If you must do this, create your HTML manually and use 'html_safe'. Ensure
no external data enters the HTML-safe string!"
languages:
- ruby
severity: WARNING
pattern: content_tag(...)
Examples
avoid-content-tag.rb
# cf. https://apidock.com/rails/ActionView/Helpers/TagHelper/content_tag
# ruleid: avoid-content-tag
content_tag(:p, "Hello world!")
# => <p>Hello world!</p>
# ruleid: avoid-content-tag
content_tag(:div, content_tag(:p, "Hello world!"), class: "strong")
# => <div class="strong"><p>Hello world!</p></div>
# ruleid: avoid-content-tag
content_tag(:div, "Hello world!", class: ["strong", "highlight"])
# => <div class="strong highlight">Hello world!</div>
# ruleid: avoid-content-tag
content_tag("select", options, multiple: true)
# => <select multiple="multiple">...options...</select>
# cf. https://stackoverflow.com/a/4205709
module InputHelper
def editable_input(label,name)
# ruleid: avoid-content-tag
content_tag :div, :class => "field" do
# ruleid: avoid-content-tag
content_tag(:label,label) + # Note the + in this line
text_field_tag(name,'', :class => 'medium new_value')
end
end
end
Short Link: https://sg.run/dg8P