Home > Back-end >  Rails: html_safe not safe?
Rails: html_safe not safe?

Time:12-09

I have this working piece of code:

content_tag('p', params[:text]&.html_safe, class: 'nice-class')

And I'm using RuboCop, which is telling me that "tagging a string as html safe may be a security risk". (Also using raw())

As I understood in Why Rubocop do not allow html_safe or raw() Rails, there shouldn't be problems using & as it ignores the html_safe if the string is empty, but doesn't seem so.

Is there any other way to solve this or may I just ignore RuboCop.

CodePudding user response:

Rubocop is flagging params[:text]&.html_safe as bad practice because this can expose your code to Cross site scripting attacks.

Even brakeman raises issue for such cases. Check link

In Rails 3, templates escaped output by default. Hooray! Sadly, Rails 3 also introduced the unfortunately named html_safe method to bypass this escaping. Quite a few people have been confused into thinking html_safe makes strings safe. What it really does is mark the string as “safe” so that it will not be escaped. (The raw method does the same thing.)

html_safe api doc suggests to use sanitize instead


The code after using sanitize method will look like -

content_tag('p', sanitize params[:text], class: 'nice-class')

  • Related