Home Unescaped model attribute

# Unescaped model attribute

ankur
1#
ankur Published in 2018-01-05 08:23:49Z
 I have installed brakeman and getting security vulnerabilities. Here is my warning Unescaped model attribute rendered inline near line 24: render(inline => SendGridMailer.weekly_email([current_user], WeeklyNewsletterFactory.new.email(:preview => true)).html_part.body.raw_source, {}) Line:24 render inline: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source  I have tried this solution as suggested by brakeman but after doing this I start getting error Could not parse render(inline: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source,{})  Rails - 4.2.4 Brakeman - 3.1.2 Ruby - 2.3.1
Justin
2#
 When you call render inline: ..., Rails will treat the text passed in as an ERB template. This means if the string you provide has any <%...%> tags in it (or the possibility of an attacker inserting them), they will be executed as Ruby code. If that is what you want, then there is no problem. Ignore the warning. But keep in mind this is dangerous! If an attacker can manipulate the text to insert ERB tags, they can execute arbitrary code on your server. If you just want to output some HTML, use render html: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source.html_safe  (Note there is the possibility of cross-site scripting if you are not escaping user input inside of the email). If you meant to output plaintext, use render plain: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source  Also, Brakeman does not output suggested code fixes, so you are likely misinterpreting the report.