Avoid content tag


ID: ruby-security/no-content-tag

Language: Ruby

Severity: Warning

Category: Security


The rule “Avoid content_tag” is crucial in Ruby development as it helps prevent potential cross-site scripting (XSS) attacks. The content_tag method in Ruby on Rails can inadvertently expose your application to XSS attacks when user input is directly passed into the method. This is because content_tag does not escape HTML content by default, therefore, it can render potentially harmful scripts if the content includes any.

To ensure your Ruby code is secure and compliant, it’s highly recommended to use other methods that automatically escape content, such as safe_join or tag. Instead of using content_tag(:p, "Unsafe Code!"), you would use tag.p("Unsafe Code!"). Similarly, instead of content_tag(:div, content_tag(:p, "Hello!"), class: "strong"), you would use tag.div(tag.p("Hello!"), class: "strong").

By avoiding the use of content_tag, you can protect your application from potential security threats and keep your code safe and robust.

Non-Compliant Code Examples

content_tag(:p, "Unsafe Code!")
content_tag(:div, content_tag(:p, "Hello!"), class: "strong")
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis