ruby.rails.security.audit.xss.templates.avoid-content-tag.avoid-content-tag
semgrepAuthor
1,557
Download Count*
License
'content_tag' exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use 'html_safe' if you must render raw HTML data.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-content-tag
message: "'content_tag' exhibits unintuitive escaping behavior and may
accidentally expose your application to cross-site scripting. If using
Rails 2, only attribute values are escaped. If using Rails 3, content and
attribute values are escaped. Tag and attribute names are never escaped.
Because of this, it is recommended to use 'html_safe' if you must render
raw HTML data."
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
source-rule-url: https://brakemanscanner.org/docs/warning_types/content_tag/
references:
- https://brakemanscanner.org/docs/warning_types/content_tag/
category: security
technology:
- rails
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- generic
paths:
include:
- "*.erb"
severity: WARNING
patterns:
- pattern-inside: <%= ... %>
- pattern: content_tag
Examples
avoid-content-tag.erb
@custom_page_title = “Page <strong>Title</strong>”
<div>
<!-- ruleid: avoid-content-tag -->
<h1><%= content_tag :p @custom_page_title %></h1>
<!-- ok: avoid-content-tag -->
<h1><%= @custom_page_title %></h1>
</div>
Short Link: https://sg.run/gJxo