lib/brakeman/checks/check_render_inline.rb in brakeman-3.1.1 vs lib/brakeman/checks/check_render_inline.rb in brakeman-3.1.2
- old
+ new
@@ -18,25 +18,37 @@
call = result[:call]
if node_type? call, :render and
(call.render_type == :text or call.render_type == :inline)
- render_value = call[2]
+ unless call.render_type == :text and content_type_set? call[3]
+ render_value = call[2]
- if input = has_immediate_user_input?(render_value)
- warn :result => result,
- :warning_type => "Cross Site Scripting",
- :warning_code => :cross_site_scripting_inline,
- :message => "Unescaped #{friendly_type_of input} rendered inline",
- :code => input.match,
- :confidence => CONFIDENCE[:high]
- elsif input = has_immediate_model?(render_value)
- warn :result => result,
- :warning_type => "Cross Site Scripting",
- :warning_code => :cross_site_scripting_inline,
- :message => "Unescaped model attribute rendered inline",
- :code => input,
- :confidence => CONFIDENCE[:med]
+ if input = has_immediate_user_input?(render_value)
+ warn :result => result,
+ :warning_type => "Cross Site Scripting",
+ :warning_code => :cross_site_scripting_inline,
+ :message => "Unescaped #{friendly_type_of input} rendered inline",
+ :user_input => input,
+ :confidence => CONFIDENCE[:high]
+ elsif input = has_immediate_model?(render_value)
+ warn :result => result,
+ :warning_type => "Cross Site Scripting",
+ :warning_code => :cross_site_scripting_inline,
+ :message => "Unescaped model attribute rendered inline",
+ :user_input => input,
+ :confidence => CONFIDENCE[:med]
+ end
end
+ end
+ end
+
+ CONTENT_TYPES = ["text/html", "text/javascript", "application/javascript"]
+
+ def content_type_set? opts
+ if hash? opts
+ content_type = hash_access(opts, :content_type)
+
+ string? content_type and not CONTENT_TYPES.include? content_type.value
end
end
end