Brakeman错误-附近的转义模型属性 [英] Brakeman Error - Unescaped model attribute near
本文介绍了Brakeman错误-附近的转义模型属性的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我遇到很多错误,如下所示
I am getting a lot error as follows
Unescaped model attribute near line 20: show_errors(Objective.new(objective_params), :name)
展开视图
这是我的代码
module ApplicationHelper
# Error Helper for Form
def show_errors(object, field_name)
if object.errors.any? && object.errors.messages[field_name][0].present?
"<label class='text-error'>" + object.errors.messages[field_name][0] + "</label>"
else
return ""
end
end
end
推荐答案
来自Brakeman 跨站点脚本文档:
From Brakeman Cross Site Scripting docs:
默认情况下,当将参数或cookie值用作方法的参数时,Brakeman也会发出警告,其结果将不转义地输出到视图中.
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
例如:
<%= some_method(cookie[:name]) %>
这会引发如下警告:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
但是,此警告的可信度很弱,因为它没有直接输出cookie值.
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
最后一个陈述可能很重要.如果您确定自己的值已被忽略,则可能会忽略/禁用此警告.
The last statement may be important. If you are sure your value gets into view escaped, this warning could probably be ignored/disabled.
这篇关于Brakeman错误-附近的转义模型属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文