Avoid content tag

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: ruby-security/no-content-tag

Language: Ruby

Severity: Warning

Category: Security

CWE: 79

Description

The rule “Avoid content_tag” is crucial in Ruby development as it helps prevent potential cross-site scripting (XSS) attacks. The content_tag method in Ruby on Rails can inadvertently expose your application to XSS attacks when user input is directly passed into the method. This is because content_tag does not escape HTML content by default, therefore, it can render potentially harmful scripts if the content includes any.

To ensure your Ruby code is secure and compliant, it’s highly recommended to use other methods that automatically escape content, such as safe_join or tag. Instead of using content_tag(:p, "Unsafe Code!"), you would use tag.p("Unsafe Code!"). Similarly, instead of content_tag(:div, content_tag(:p, "Hello!"), class: "strong"), you would use tag.div(tag.p("Hello!"), class: "strong").

By avoiding the use of content_tag, you can protect your application from potential security threats and keep your code safe and robust.

Non-Compliant Code Examples

content_tag(:p, "Unsafe Code!")
content_tag(:div, content_tag(:p, "Hello!"), class: "strong")
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis