Open inkstak opened 4 years ago
It seems that the message for html_safe
redundancy is not appropriate. And the cop needs an extension that recognizes that all strings built are safe.
id = '<span>42</span>' # => "<span>42</span>"
%{<div id="#{h(id)}"></div>}.html_safe # => "<div id=\"<span>42</span>\"></div>"
%{<div id="#{(id)}"></div>}.html_safe # => "<div id=\"<span>42</span>\"></div>"
%{<div id="#{h(id)}"></div>} # => "<div id=\"<span>42</span>\"></div>"
Expected behavior
The cop
OutputSafety
should not return errors when content is already escaped.Actual behavior
Is there a real security risk ?
Steps to reproduce the problem
See example above.
RuboCop version