- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: ruby-security/rails-avoid-raw
Language: Ruby
Severity: Info
Category: Security
CWE: 79
The raw
method in Ruby on Rails is used to output unescaped strings of text directly to the HTML. This method can lead to Cross-Site Scripting (XSS) vulnerabilities if user input is passed into it, as it allows for the execution of malicious scripts.
XSS attacks can lead to a variety of security problems, such as data theft, website defacement, and distribution of malware to users. As such, it’s crucial to prevent these vulnerabilities in your code.
To avoid this, instead of using raw
, consider using the html_safe
method on strings that you know are safe, or the sanitize
method on strings that may contain user input. Both of these methods will ensure that any potentially harmful scripts in the string are properly escaped before being output to the HTML. For example, instead of using raw(my_variable)
, you could use sanitize(my_variable)
.
raw(my_variable)
anotherraw(my_variable)
|
|
For more information, please read the Code Security documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products