Class: HamlLint::Linter::UnescapedHtml
- Inherits:
-
Linter
- Object
- Linter
- HamlLint::Linter::UnescapedHtml
- Includes:
- HamlLint::LinterRegistry
- Defined in:
- lib/haml_lint/linter/unescaped_html.rb
Overview
Flags Haml's unescaped-output markers (!=, !~, and the unescaped
plain-text !), which bypass HTML escaping.
Like raw, html_safe, and h() in Rails, these make it easy to
accidentally introduce XSS vulnerabilities when the output includes
user-controlled data, e.g.:
!= "Username: <strong>#{user.name}</strong>"
Constant Summary collapse
- MESSAGE =
'Avoid outputting unescaped HTML with `!`; it bypasses HTML escaping and ' \ 'can introduce XSS vulnerabilities. Sanitize the value instead.'
Instance Method Summary collapse
Methods included from HamlLint::LinterRegistry
extract_linters_from, included
Instance Method Details
#visit_script(node) ⇒ Object
19 20 21 |
# File 'lib/haml_lint/linter/unescaped_html.rb', line 19 def visit_script(node) record_lint(node, MESSAGE) if /\A\s*!/.match?(node.source_code) end |
#visit_tag(node) ⇒ Object
23 24 25 |
# File 'lib/haml_lint/linter/unescaped_html.rb', line 23 def visit_tag(node) record_lint(node, MESSAGE) if node.unescape_html? end |