ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe
Verifed by r2c
Community Favorite
semgrepAuthor
62,402
Download Count*
License
The syntax <%== ... %> is an alias for html_safe. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit html_safe and be sure to correctly sanitize variables using a library such as DOMPurify.
Run Locally
Run in CI
Defintion
rules:
- id: alias-for-html-safe
message: The syntax `<%== ... %>` is an alias for `html_safe`. This means the
content inside these tags will be rendered as raw HTML. This may expose
your application to cross-site scripting. If you need raw HTML, prefer
using the more explicit `html_safe` and be sure to correctly sanitize
variables using a library such as DOMPurify.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
references:
- https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027
- https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===
category: security
technology:
- rails
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- generic
paths:
include:
- "*.erb"
severity: WARNING
patterns:
- pattern: <%== ... %>
- pattern-not: <%== $...A.to_json %>
Examples
alias-for-html-safe.erb
@custom_page_title = “Page <strong>Title</strong>”
<div>
<!-- ruleid: alias-for-html-safe -->
<h1><%== @custom_page_title %></h1>
<!-- ok: alias-for-html-safe -->
<h1><%= @custom_page_title %></h1>
<!-- ok: alias-for-html-safe -->
<h1><%== @custom_page_title.to_json %></h1>
</div>
Short Link: https://sg.run/8nGJ