-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Rails/OutputSafety Cop #3135
Conversation
module Cop | ||
module Rails | ||
# This cop checks for the use of output safety calls like html_safe and | ||
# raw. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add here some examples of code the cop would consider offensive. See other cops for reference.
You might want to add some rule about this in the Rails style guide document as well. Such changes require a changelog entry. |
Wheres that at?
👍 |
@bbatsov pushed some changes based on your suggestions. |
https://github.com/bbatsov/rails-style-guide Apart from the failing build, the cops looks OK to me. You'll have to rebase, though. What's the reason why this is disabled by default? I'm guessing it produces some false positives, right? |
👍 I'm on it.
I'll just move it to enabled by default. |
@bbatsov updated with changes. |
👍 Thanks! |
Hi @josh, Any suggestions for the following case? = f.submit '▶'.html_safe Cheers. |
How about using the decoded character?
|
Thanks @mikegee, but I was wondering if using a non-ASCII character wouldn't be a bad practice. |
If you really need encoded entities, consider something like |
Thanks @josh! Did you mean <input type="submit" name="commit" value="▶" /> While <input type="submit" name="commit" value="▶" /> Cheers. |
I'm also wondering how I'm supposed to have helpers return html entities, or add html entities to strings in helpers??? |
I think the cop should allow raw() for uninterpolated strings. |
Butting heads against this cop with Here's a contrived example. (I know there's a CSS alternative. The actual use case is more complex.) safe_join(words, ' '.html_safe) |
This adds a new cop tighten security around Rails output safety helpers like
.html_safe
andraw
. While you may need.html_safe
in a handful of cases, it was too easy to casually use without careful review. Instead of just usingcontent_tag(:div, something)
in a safe way in a helper method,"<div>#{something}</div>".html_safe
would be used instead. In instances.html_safe
were is necessary, we use an inline# rubocop:disable Rails/OutputSafety
comment after security review.