ruby.rails.security.audit.xss.templates.avoid-html-safe.avoid-html-safe

profile photo of returntocorpreturntocorp
Author
1,557
Download Count*

'html_safe' renders raw HTML. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.

Run Locally

Run in CI

Defintion

rules:
  - id: avoid-html-safe
    message: "'html_safe' renders raw HTML. This means that normal HTML escaping is
      bypassed. If user data can be controlled here, this exposes your
      application to cross-site scripting (XSS). If you need to do this, be sure
      to correctly sanitize the data using a library such as DOMPurify."
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb
      references:
        - https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===
        - https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027
      category: security
      technology:
        - rails
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - generic
    paths:
      include:
        - "*.erb"
    severity: WARNING
    patterns:
      - pattern-inside: <%= ... %>
      - pattern: $SOMETHING.html_safe

Examples

avoid-html-safe.erb

@custom_page_title = “Page <strong>Title</strong>”
<div>
  <!-- ruleid: avoid-html-safe -->
  <h1><%= @custom_page_title.html_safe %></h1>
  <!-- ok: avoid-html-safe -->
  <h1><%= @custom_page_title %></h1>
</div>