class RubbyCop::Cop::Rails::OutputSafety

This cop checks for the use of output safety calls like html_safe and raw. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to escape content and ensure its safety.

@example

# bad
"<p>#{text}</p>".html_safe

# good
content_tag(:p, text)

# bad
out = ""
out << content_tag(:li, "one")
out << content_tag(:li, "two")
out.html_safe

# good
out = []
out << content_tag(:li, "one")
out << content_tag(:li, "two")
safe_join(out)

# bad
(person.login + " " + content_tag(:span, person.email)).html_safe

# good
safe_join([person.login, " ", content_tag(:span, person.email)])

Constants

MSG

Public Instance Methods

on_send(node) click to toggle source
# File lib/rubbycop/cop/rails/output_safety.rb, line 39
def on_send(node)
  return unless looks_like_rails_html_safe?(node) ||
                looks_like_rails_raw?(node)

  add_offense(node, :selector)
end

Private Instance Methods

looks_like_rails_html_safe?(node) click to toggle source
# File lib/rubbycop/cop/rails/output_safety.rb, line 48
def looks_like_rails_html_safe?(node)
  node.receiver && node.method?(:html_safe) && !node.arguments?
end
looks_like_rails_raw?(node) click to toggle source
# File lib/rubbycop/cop/rails/output_safety.rb, line 52
def looks_like_rails_raw?(node)
  node.command?(:raw) && node.arguments.one?
end