Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
The html_safe method in Ruby on Rails marks a string as trusted and disables automatic HTML escaping. If any untrusted input is included, the output may contain raw HTML/JS and can lead to XSS. Thus, any use of html_safe on interpolated strings should be treated as unsafe
unless every interpolated value is known to be safe.
This applies even if you are using h (also known as html_escape) because h does nothing if the string has already been marked html_safe.
Prefer letting Rails escape automatically:
<p><%= user_input %></p>
Or use tag helpers:
content_tag(:p,user_input)tag.p(user_input)
When HTML is required, use sanitize:
content_tag(:p,sanitize(user_input))
Non-Compliant Code Examples
# Unsafe unless `username` is trusted or explicitly escapedpage_content="<p>hello, #{username}</p>".html_safe# Unsafe unless you can prove `user_input` is not already marked `html_safe` (because `h` will not escape it).page_content="<p>description: #{h(user_input)}</p>".html_safe
Compliant Code Examples
# For when HTML is requiredcontent=content_tag(:p,sanitize(user_input))# Tag helpers automatically perform escapingcontent=content_tag(:p,"hello, #{username}")# String literals are safecontent="<p>hello</p>".html_safe
1
2
rulesets:- ruby-security # Rules to enforce Ruby security.
Request a personalized demo
Commencer avec Datadog
Datadog Docs AIYour use of this AI-powered assistant is subject to our Privacy Policy. Please do not submit sensitive or personal information.
