class Sqreen::Rules::ReflectedXSSCB
look for reflected XSS with erb template engine
Public Instance Methods
pre(_inst, args, _budget = nil, &_block)
click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 67 def pre(_inst, args, _budget = nil, &_block) value = args[0] return unless value.is_a?(String) # If the value is not marked as html_safe, it will be escaped later return unless value.html_safe? # Sqreen::log.debug value return unless xss_params.any? { |p| p == value } Sqreen.log.debug { format('Found unescaped user param: %s', value) } saved_value = value.dup return unless report_dangerous_xss?(saved_value) # potential XSS! let's escape args[0].replace(CGI.escape_html(value)) if block advise_action(nil) end