Ach, sorry, my mistake - when I expanded the terminal window to copy as much of the warning as possible, I realised it was actually a link_to warning for the following line, caused by this rather ugly piece of code:
<%= link_to "View in Google Earth", earth_index_path<<"?location_id="<<@location.id.to_s %> The earth#index view linked to here embeds the google-earth plugin, and passes the location id referenced by params[:location_id] as another query string back to a location resource as a networkLink request. This in turn sends the lat/lon (among other things) as kml to tell the google earth plugin where to center the view, and what to overlay. It's a bit of a daisy-chain, but it works! I could possibly use session / flash to pass the location_id, but using a querystring makes the link bookmarkable. Also, i *think *the google-earth plugin maintains its own session. Any ideas? Thanks! On 11 April 2013 01:01, Justin Collins <jus...@presidentbeef.com> wrote: > Actually, image_tag (and most other _tag methods) should be ignored. > > I'm having trouble reproducing this warning. Can you show us the entire > warning output? What version of Rails and Brakeman are you using? > > Thanks! > > -Justin > > On 04/10/2013 04:06 PM, Matthew Brookes wrote: > > Hi! > > > > I'm getting an XSS warning for this: > > > > <%= image_tag > > " > http://maps.google.com/maps/api/staticmap?size=610x450&sensor=false&zoom=15&markers=#{@location.latitude}%2C#{@location.longitude} > " > > %> > > > > Is there something I need to do to improve my code, or is this an > > expected false positive? > > > > Thanks! > > Matt. > > > > > > > > > > On 10 April 2013 18:09, Matthew Brookes <m...@brookes.net > > <mailto:m...@brookes.net>> wrote: > > > > > > > >