Neil should probably confirm, but I believe the way to approach this would be to use CGI.escape:
<%= link_to "View in Google Earth", earth_index_path << "?location_id=" << CGI.escape(@location.to_id.to_s) %> On 04/11/2013 10:13 AM, Matthew Brookes wrote: > Ach, sorry, my mistake - when I expanded the terminal window to copy as > much of the warning as possible, I realised it was actually a link_to > warning for the following line, caused by this rather ugly piece of code: > > <%= link_to "View in Google Earth", > earth_index_path<<"?location_id="<<@location.id.to_s %> > > The earth#index view linked to here embeds the google-earth plugin, and > passes the location id referenced by params[:location_id] as another > query string back to a location resource as a networkLink request. This > in turn sends the lat/lon (among other things) as kml to tell the google > earth plugin where to center the view, and what to overlay. It's a bit > of a daisy-chain, but it works! > > I could possibly use session / flash to pass the location_id, but using > a querystring makes the link bookmarkable. Also, i /think /the > google-earth plugin maintains its own session. Any ideas? > > Thanks! > > > On 11 April 2013 01:01, Justin Collins <[email protected] > <mailto:[email protected]>> wrote: > > Actually, image_tag (and most other _tag methods) should be ignored. > > I'm having trouble reproducing this warning. Can you show us the entire > warning output? What version of Rails and Brakeman are you using? > > Thanks! > > -Justin > > On 04/10/2013 04:06 PM, Matthew Brookes wrote: > > Hi! > > > > I'm getting an XSS warning for this: > > > > <%= image_tag > > > > "http://maps.google.com/maps/api/staticmap?size=610x450&sensor=false&zoom=15&markers=#{@location.latitude}%2C#{@location.longitude}"; > > %> > > > > Is there something I need to do to improve my code, or is this an > > expected false positive? > > > > Thanks! > > Matt. > > > > > > > > > > On 10 April 2013 18:09, Matthew Brookes <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > > >
