class Sqreen::Rules::ReflectedXSSHamlCB

look for reflected XSS with haml template engine hook function arguments of Haml::Buffer.format_script(result, preserve_script, in_tag, preserve_tag,

escape_html, nuke_inner_whitespace,
interpolated, ugly)

Public Instance Methods

post(ret, _inst, _args, _budget = nil, &_block) click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 97
def post(ret, _inst, _args, _budget = nil, &_block)
  value = ret
  return unless value.is_a?(String)

  # 99% of the time we return here
  return unless xss_params.any? { |p| p == value }

  Sqreen.log.debug { format('Found unescaped user param: %s', value) }

  return unless report_dangerous_xss?(value)

  return unless block
  # potential XSS! let's escape
  advise_action(:override, :new_return_value => CGI.escape_html(value))
end