Background
Brakeman version: 5.1.2
Rails version: 6.1.7.3
Ruby version: 2.7.5
Link to Rails application code: #1778
False Positive
Full warning from Brakeman:
Confidence: High
Category: Cross-Site Scripting
Check: ContentTag
Message: Unescaped parameter value in `content_tag`
Code: content_tag(:tr, foo(mf), params[:foo] => params[:bar])
Relevant code:
helper.content_tag :p, "<script>alert(1)</script>", "<script>&'\"" => "<script>&'\""
Why might this be a false positive?
The return value seems to gsub out the control characters for _ in attribute names now.
=> "<p _script____=\"<script>&'"\"><script>alert(1)</script></p>"
I haven't really tracked down when this changed. I thought I did, but no.
Background
Brakeman version: 5.1.2
Rails version: 6.1.7.3
Ruby version: 2.7.5
Link to Rails application code: #1778
False Positive
Full warning from Brakeman:
Relevant code:
Why might this be a false positive?
The return value seems to
gsubout the control characters for_in attribute names now.I haven't really tracked down when this changed. I thought I did, but no.