Class: HamlLint::Linter::UnescapedHtml

Inherits:
Linter
  • Object
show all
Includes:
HamlLint::LinterRegistry
Defined in:
lib/haml_lint/linter/unescaped_html.rb

Overview

Flags Haml's unescaped-output markers (!=, !~, and the unescaped plain-text !), which bypass HTML escaping.

Like raw, html_safe, and h() in Rails, these make it easy to accidentally introduce XSS vulnerabilities when the output includes user-controlled data, e.g.:

!= "Username: <strong>#{user.name}</strong>"

Constant Summary collapse

MESSAGE =
'Avoid outputting unescaped HTML with `!`; it bypasses HTML escaping and ' \
'can introduce XSS vulnerabilities. Sanitize the value instead.'

Instance Method Summary collapse

Methods included from HamlLint::LinterRegistry

extract_linters_from, included

Instance Method Details

#visit_script(node) ⇒ Object



19
20
21
# File 'lib/haml_lint/linter/unescaped_html.rb', line 19

def visit_script(node)
  record_lint(node, MESSAGE) if /\A\s*!/.match?(node.source_code)
end

#visit_tag(node) ⇒ Object



23
24
25
# File 'lib/haml_lint/linter/unescaped_html.rb', line 23

def visit_tag(node)
  record_lint(node, MESSAGE) if node.unescape_html?
end