class Sqreen::Rules::ReflectedXSSCB

look for reflected XSS with erb template engine

Public Instance Methods

pre(_inst, args, _budget = nil, &_block) click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 67
def pre(_inst, args, _budget = nil, &_block)
  value = args[0]

  return unless value.is_a?(String)

  # If the value is not marked as html_safe, it will be escaped later
  return unless value.html_safe?

  # Sqreen::log.debug value

  return unless xss_params.any? { |p| p == value }

  Sqreen.log.debug { format('Found unescaped user param: %s', value) }

  saved_value = value.dup
  return unless report_dangerous_xss?(saved_value)

  # potential XSS! let's escape
  args[0].replace(CGI.escape_html(value)) if block

  advise_action(nil)
end