Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Rails/OutputSafety Cop #3135

Merged
merged 1 commit into from
May 20, 2016
Merged

Add Rails/OutputSafety Cop #3135

merged 1 commit into from
May 20, 2016

Conversation

josh
Copy link
Contributor

@josh josh commented May 15, 2016

This adds a new cop tighten security around Rails output safety helpers like .html_safe and raw. While you may need .html_safe in a handful of cases, it was too easy to casually use without careful review. Instead of just using content_tag(:div, something) in a safe way in a helper method, "<div>#{something}</div>".html_safe would be used instead. In instances .html_safe were is necessary, we use an inline # rubocop:disable Rails/OutputSafety comment after security review.

module Cop
module Rails
# This cop checks for the use of output safety calls like html_safe and
# raw.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add here some examples of code the cop would consider offensive. See other cops for reference.

@bbatsov
Copy link
Collaborator

bbatsov commented May 19, 2016

You might want to add some rule about this in the Rails style guide document as well. Such changes require a changelog entry.

@josh
Copy link
Contributor Author

josh commented May 19, 2016

You might want to add some rule about this in the Rails style guide document as well

Wheres that at?

Such changes require a changelog entry.

👍

@josh
Copy link
Contributor Author

josh commented May 19, 2016

@bbatsov pushed some changes based on your suggestions.

@bbatsov
Copy link
Collaborator

bbatsov commented May 20, 2016

Wheres that at?

https://github.com/bbatsov/rails-style-guide

Apart from the failing build, the cops looks OK to me. You'll have to rebase, though. What's the reason why this is disabled by default? I'm guessing it produces some false positives, right?

@josh
Copy link
Contributor Author

josh commented May 20, 2016

Apart from the failing build, the cops looks OK to me. You'll have to rebase, though.

👍 I'm on it.

What's the reason why this is disabled by default? I'm guessing it produces some false positives, right?

I'll just move it to enabled by default.

@josh
Copy link
Contributor Author

josh commented May 20, 2016

@bbatsov updated with changes.

@bbatsov bbatsov merged commit 959cc6e into rubocop:master May 20, 2016
@bbatsov
Copy link
Collaborator

bbatsov commented May 20, 2016

👍 Thanks!

@josh josh deleted the cop-rails-output-safety branch May 20, 2016 19:38
@lucascaton
Copy link

Hi @josh,

Any suggestions for the following case?

= f.submit '&#9654;'.html_safe

Cheers.

@mikegee
Copy link
Contributor

mikegee commented Jul 18, 2016

How about using the decoded character?

= f.submit '▶'

@lucascaton
Copy link

Thanks @mikegee, but I was wondering if using a non-ASCII character wouldn't be a bad practice.

@josh
Copy link
Contributor Author

josh commented Jul 20, 2016

If you really need encoded entities, consider something like = f.submit html_encode('▶'). Others reading your views have no idea what &#9654; means.

@lucascaton
Copy link

Thanks @josh!

Did you mean html_escape? Because either html_escape or h compiles to the following HTML:

<input type="submit" name="commit" value="" />

While = f.submit '&#9654;'.html_safe generates a non-ASCII character (which is considered a good practice afaik):

<input type="submit" name="commit" value="&#9654;" />

Cheers.

@lastobelus
Copy link

lastobelus commented Oct 5, 2016

I'm also wondering how I'm supposed to have helpers return html entities, or add html entities to strings in helpers???

@lastobelus
Copy link

I think the cop should allow raw() for uninterpolated strings.

Neodelf pushed a commit to Neodelf/rubocop that referenced this pull request Oct 15, 2016
@mdavidn
Copy link

mdavidn commented Dec 16, 2016

Butting heads against this cop with '&nbsp;'.html_safe. There's no Rails helper for HTML entities. Uninterpolated strings should not be a violation, as there's no risk of code injection.

Here's a contrived example. (I know there's a CSS alternative. The actual use case is more complex.)

safe_join(words, '&nbsp;'.html_safe)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants