ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw
semgrepAuthor
1,557
Download Count*
License
'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-raw
message: "'raw' renders raw HTML, as the name implies. This means that normal
HTML escaping is bypassed. If user data can be controlled here, this
exposes your application to cross-site scripting (XSS). If you need to do
this, be sure to correctly sanitize the data using a library such as
DOMPurify."
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cross_site_scripting.rb
references:
- https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===
- https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027
category: security
technology:
- rails
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- generic
paths:
include:
- "*.erb"
severity: WARNING
patterns:
- pattern-inside: <%= ... %>
- pattern: raw
Examples
avoid-raw.erb
@custom_page_title = “Page <strong>Title</strong>”
<div>
<!-- ruleid: avoid-raw -->
<h1><%= raw @custom_page_title %></h1>
<!-- ok: avoid-raw -->
<h1><%= @custom_page_title %></h1>
</div>
Short Link: https://sg.run/3Aqg