Avoid raw, which leads to XSS

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: ruby-security/rails-avoid-raw

Language: Ruby

Severity: Info

Category: Security

CWE: 79

Description

The raw method in Ruby on Rails is used to output unescaped strings of text directly to the HTML. This method can lead to Cross-Site Scripting (XSS) vulnerabilities if user input is passed into it, as it allows for the execution of malicious scripts.

XSS attacks can lead to a variety of security problems, such as data theft, website defacement, and distribution of malware to users. As such, it’s crucial to prevent these vulnerabilities in your code.

To avoid this, instead of using raw, consider using the html_safe method on strings that you know are safe, or the sanitize method on strings that may contain user input. Both of these methods will ensure that any potentially harmful scripts in the string are properly escaped before being output to the HTML. For example, instead of using raw(my_variable), you could use sanitize(my_variable).

Learn More

Non-Compliant Code Examples

raw(my_variable)
anotherraw(my_variable)
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: rtrieu/product-analytics-ui-changes