Q
Detector Library
Ruby detectors (21/21)
SQL InjectionDivide by ZeroSensitive HTTP ActionInsufficient Protected CredentialsSensitive Information LeakUntrusted DeserializationLog InjectionXML External EntityPath InjectionHttp to File AccessCode InjectionOS Command InjectionResource leakCross Site Scripting (XSS)Untrusted OpenImproper Input ValidationStack Trace ExposureImproper Certificate Validationsend_file InjectionUnsafe File PermissionsTainted Format
Cross Site Scripting (XSS) High
Cross Site Scripting (XSS) is an attack which exploits a web application or system to treat user input as markup or script code. It is important to encode the data depending on the specific context it is used in.
Detector ID
ruby/cross-site-scripting@v1.0
Category
Common Weakness Enumeration (CWE) 
Tags
-
Noncompliant example
1def crosssite_scripting_noncompliant
2 name = params[":name"]
3 # Noncompliant: The parameter is not escaped.
4 "<h2>#{name}</h2>".html_safe
5endCompliant example
1def crosssite_scripting_compliant
2 name = params[":name"]
3 # Compliant: Parameter is escaped.
4 "<h2>#{ERB::Util.html_escape(name)}</h2>".html_safe
5end