We had to add some ignore statements to our Brakeman configuration to get our tests passing. The issues were none critical but it would be good to clean them up.
These issues are tied to cross site scripting warnings, and the fact that we are displaying un-sanitized user input. That input is collected from the user via Tinymce controls. Users are not able to manually modify the underlying HTML within the editor so the risk is low. We should look into whether or not it would be appropriate to sanitize the input ourselves or let Tinymce handle it.
Bodacious
commented
6 years ago
We had to add some ignore statements to our Brakeman configuration to get our tests passing. The issues were none critical but it would be good to clean them up.
These issues are tied to cross site scripting warnings, and the fact that we are displaying un-sanitized user input. That input is collected from the user via Tinymce controls. Users are not able to manually modify the underlying HTML within the editor so the risk is low. We should look into whether or not it would be appropriate to sanitize the input ourselves or let Tinymce handle it.
The brakeman exceptions can be found in PR #1789