Open marcandre opened 7 months ago
Interesting! Thanks for the find - I'll need to dig a bit deeper into this feature add, because existing .heex
support like you linked is all based around reading entire template files and not strings within .ex
files. Therefore it wouldn't be simply a matter of adjusting the existing rule, but more than likely creating a brand new rule or revamping the existing one to also consider .ex
files with ~H"..."
.
To be honest, I'm also not sure Sobelow currently identifies / pulls out sigils in any sort of way - so I would need to look into that before confirming how difficult an adjustment this is. But this is still a great callout to improve detections!
While
sobelow
analyses.heex
templates, it seems it ignores completely HEEX templates using~H"..."
.For some tests, in particular XSS, this is a critical issue.