search

rubocop / rubocop-rails

A RuboCop extension focused on enforcing Rails best practices and coding conventions.
https://docs.rubocop.org/rubocop-rails
MIT License
811 stars 262 forks source link

Rails/OutputSafety reports false positives on .html_safe when input is escaped #154

Open inkstak opened 4 years ago

inkstak commented 4 years ago

Expected behavior

The cop OutputSafety should not return errors when content is already escaped.

Actual behavior

def some_content_tag_helper(id)
   %{<div id="#{h(id)}"></div>}.html_safe
end
C: Rails/OutputSafety: Tagging a string as html safe may be a security risk.
        %{<div id="#{h(id)}"></div>}.html_safe

Is there a real security risk ?

Steps to reproduce the problem

See example above.

RuboCop version

rubocop (0.76.0)
rubocop-rails (2.3.2)
koic commented 4 years ago

It seems that the message for html_safe redundancy is not appropriate. And the cop needs an extension that recognizes that all strings built are safe.

id = '<span>42</span>' # => "<span>42</span>"
%{<div id="#{h(id)}"></div>}.html_safe # => "<div id=\"&lt;span&gt;42&lt;/span&gt;\"></div>"
%{<div id="#{(id)}"></div>}.html_safe # => "<div id=\"<span>42</span>\"></div>"
%{<div id="#{h(id)}"></div>} # => "<div id=\"&lt;span&gt;42&lt;/span&gt;\"></div>"