class Sqreen::Rules::ReflectedXSSHamlCB
look for reflected XSS with haml template engine hook function arguments of Haml::Buffer.format_script(result, preserve_script, in_tag, preserve_tag,
escape_html, nuke_inner_whitespace, interpolated, ugly)
Public Instance Methods
post(ret, _inst, _args, _budget = nil, &_block)
click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 97 def post(ret, _inst, _args, _budget = nil, &_block) value = ret return unless value.is_a?(String) # 99% of the time we return here return unless xss_params.any? { |p| p == value } Sqreen.log.debug { format('Found unescaped user param: %s', value) } return unless report_dangerous_xss?(value) return unless block # potential XSS! let's escape advise_action(:override, :new_return_value => CGI.escape_html(value)) end