- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: ruby-security/no-html-safe
Language: Ruby
Severity: Warning
Category: Security
CWE: 79
The html_safe
method in Ruby on Rails is used to mark a string as safe and does not need further HTML escaping. This rule advises against the use of html_safe
because it can lead to cross-site scripting (XSS) vulnerabilities if misused. XSS attacks occur when an attacker manages to inject malicious scripts into web pages viewed by other users.
The html_safe
method is important because it tells Rails that the string is safe to output without escaping. However, if user input is included in the string and not properly sanitized, it could lead to an XSS vulnerability. This is because any HTML tags, including script tags, would be rendered as-is in the browser, potentially executing malicious code.
To avoid this, use other methods for escaping HTML. For instance, the h
method (alias for html_escape
) automatically escapes any dangerous HTML content. If you need to include safe HTML within a string, consider using the sanitize
method, which only allows known safe tags. For example, instead of writing “<p>#{user_input}</p>.html_safe
”, you could write “<p>#{h(user_input)}</p>
.html_safe" or "
sanitize("
#{user_input}
”)`"."<p>something</p>".html_safe
page_content = "<div>hello</div>".html_safe + "<p>world</p>"
|
|
For more information, please read the Code Security documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products