Home Unescaped model attribute
Reply: 1

Unescaped model attribute

ankur
1#
ankur Published in 2018-01-05 08:23:49Z

I have installed brakeman and getting security vulnerabilities.

Here is my warning

Unescaped model attribute rendered inline near line 24: render(inline => SendGridMailer.weekly_email([current_user], WeeklyNewsletterFactory.new.email(:preview => true)).html_part.body.raw_source, {})

Line:24

render inline: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source

I have tried this solution as suggested by brakeman but after doing this I start getting error Could not parse

render(inline: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source,{}) 

Rails - 4.2.4
Brakeman - 3.1.2
Ruby - 2.3.1

Justin
2#
Justin Reply to 2018-01-06 04:13:49Z

When you call render inline: ..., Rails will treat the text passed in as an ERB template. This means if the string you provide has any <%...%> tags in it (or the possibility of an attacker inserting them), they will be executed as Ruby code.

If that is what you want, then there is no problem. Ignore the warning. But keep in mind this is dangerous! If an attacker can manipulate the text to insert ERB tags, they can execute arbitrary code on your server.

If you just want to output some HTML, use

render html: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source.html_safe

(Note there is the possibility of cross-site scripting if you are not escaping user input inside of the email).

If you meant to output plaintext, use

render plain: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source

Also, Brakeman does not output suggested code fixes, so you are likely misinterpreting the report.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.303066 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO