Brakeman错误-附近的转义模型属性 [英] Brakeman Error - Unescaped model attribute near

问题描述

我遇到很多错误，如下所示

I am getting a lot error as follows

Unescaped model attribute near line 20: show_errors(Objective.new(objective_params), :name)

展开视图

这是我的代码

module ApplicationHelper
  # Error Helper for Form
  def show_errors(object, field_name)
    if object.errors.any? && object.errors.messages[field_name][0].present?
      "<label class='text-error'>" + object.errors.messages[field_name][0] + "</label>"
    else
      return ""
    end
  end

end

推荐答案

来自Brakeman 跨站点脚本文档:

From Brakeman Cross Site Scripting docs:

默认情况下，当将参数或cookie值用作方法的参数时，Brakeman也会发出警告，其结果将不转义地输出到视图中.

By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

例如:

<%= some_method(cookie[:name]) %>

这会引发如下警告:

Unescaped cookie value near line 5: some_method(cookies[:oreo])

但是，此警告的可信度很弱，因为它没有直接输出cookie值.

However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

最后一个陈述可能很重要.如果您确定自己的值已被忽略，则可能会忽略/禁用此警告.

The last statement may be important. If you are sure your value gets into view escaped, this warning could probably be ignored/disabled.

这篇关于Brakeman错误-附近的转义模型属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！