Class: HamlLint::Linter::UnescapedHtml

Inherits:

HamlLint::Linter

Object
HamlLint::Linter
HamlLint::Linter::UnescapedHtml

show all

Includes:: HamlLint::LinterRegistry

Defined in:: lib/haml_lint/linter/unescaped_html.rb

Overview

Flags HAML’s unescaped-output markers (‘!=`, `!~`, and the unescaped plain-text `!`), which bypass HTML escaping.

Like ‘raw`, `html_safe`, and `h()` in Rails, these make it easy to accidentally introduce XSS vulnerabilities when the output includes user-controlled data, e.g.:

!= "Username: <strong>#{user.name}</strong>"

Constant Summary collapse

MESSAGE =

'Avoid outputting unescaped HTML with `!`; it bypasses HTML escaping and ' \
'can introduce XSS vulnerabilities. Sanitize the value instead.'

Instance Attribute Summary

Attributes inherited from HamlLint::Linter

#lints

Constructor Details

This class inherits a constructor from HamlLint::Linter

Instance Method Details

#visit_script(node) ⇒ `Object`



19
20
21

# File 'lib/haml_lint/linter/unescaped_html.rb', line 19

def visit_script(node)
  record_lint(node, MESSAGE) if /\A\s*!/.match?(node.source_code)
end

#visit_tag(node) ⇒ `Object`



23
24
25

# File 'lib/haml_lint/linter/unescaped_html.rb', line 23

def visit_tag(node)
  record_lint(node, MESSAGE) if node.unescape_html?
end

Class: HamlLint::Linter::UnescapedHtml

Overview

Constant Summary collapse

Instance Attribute Summary

Attributes inherited from HamlLint::Linter

Instance Method Summary collapse

Methods included from HamlLint::LinterRegistry

Methods inherited from HamlLint::Linter

Methods included from HamlVisitor

Constructor Details

Instance Method Details

#visit_script(node) ⇒ Object

#visit_tag(node) ⇒ Object

#visit_script(node) ⇒ `Object`

#visit_tag(node) ⇒ `Object`