Got it. I submitted an issue, but when I RTFM'd (I should do that more often!) link_to, it turns it can generate (I presume safely escaped?) query strings, so I ended up with:
<%= link_to 'View in Google Earth', earth_index_path(:location_id => params[:id]) %> which looks cleaner and keeps brakeman happy. :-) Thanks! Matt. On 12 April 2013 15:53, Justin Collins <jus...@presidentbeef.com> wrote: > Yes, Brakeman should probably not warn on to_param/to_query. > > On 04/11/2013 01:36 PM, Matthew Brookes wrote: > > Thanks Justin, > > > > A quick search for CGI.escape brought me to this discussion > > <http://stackoverflow.com/a/13059657/1447810> on Ruby escape methods, > > which in one of the comments had a link to another discussion, which > > mentions <http://stackoverflow.com/a/13626484/1447810> the ActiveSupport > > to_query</> CGI.escape wrapper, which among it's various forms lets me > use: > > > > <%= link_to 'View in Google Earth', > > earth_index_path<<'?'<<{location_id: @location.id > > <http://location.id>}.to_query %> > > > > ...which escapes and builds the query string(s), so should be safe. > > > > Brakeman still has other ideas though: > > > > Unsafe model attribute in link_to href near line 12: link_to("View > > in Google Earth", ((earth_index_path << "?") << { :location_id => > > (+Location.find(params[:id])+.id) }.to_query)) > > > > ...but Brankeman's code expansion made me realise I should probably be > > using params[:id] directly (I'm using @location for other things in the > > view, but still...): > > > > <%= link_to 'View in Google Earth', > > earth_index_path<<'?'<<{location_id: params[:id]}.to_query %> > > > > Brakeman still has other ideas though: > > > > Unsafe parameter value in link_to href near line 12: link_to("View > > in Google Earth", ((earth_index_path << "?") << { :location_id => > > (+params+[:id]) }.to_query)) > > > > It doesn't like these forms either: > > > > params[:id].to_query(:location_id) > > params[:id].to_query('location_id') > > {:location_id => params[:id]}.to_query > > {location_id: params[:id]}.to_param > > > > So I tried plain CGI.escape as you suggested, and hey presto! So it > > seems brakeman doesn't know about to_query / to_param. > > > > Matt. > > > > > > > > > > On 11 April 2013 19:01, Justin Collins <jus...@presidentbeef.com > > <mailto:jus...@presidentbeef.com>> wrote: > > > > Neil should probably confirm, but I believe the way to approach this > > would be to use CGI.escape: > > > > <%= link_to "View in Google Earth", earth_index_path << > "?location_id=" > > << CGI.escape(@location.to_id.to_s) %> > > > > > > On 04/11/2013 10:13 AM, Matthew Brookes wrote: > > > Ach, sorry, my mistake - when I expanded the terminal window to > > copy as > > > much of the warning as possible, I realised it was actually a > link_to > > > warning for the following line, caused by this rather ugly piece > > of code: > > > > > > <%= link_to "View in Google Earth", > > > earth_index_path<<"?location_id="<<@location.id.to_s %> > > > > > > The earth#index view linked to here embeds the google-earth > > plugin, and > > > passes the location id referenced by params[:location_id] as > another > > > query string back to a location resource as a networkLink > > request. This > > > in turn sends the lat/lon (among other things) as kml to tell the > > google > > > earth plugin where to center the view, and what to overlay. It's > > a bit > > > of a daisy-chain, but it works! > > > > > > I could possibly use session / flash to pass the location_id, but > > using > > > a querystring makes the link bookmarkable. Also, i /think /the > > > google-earth plugin maintains its own session. Any ideas? > > > > > > Thanks! > > > > > > > > > On 11 April 2013 01:01, Justin Collins <jus...@presidentbeef.com > > <mailto:jus...@presidentbeef.com> > > > <mailto:jus...@presidentbeef.com > > <mailto:jus...@presidentbeef.com>>> wrote: > > > > > > Actually, image_tag (and most other _tag methods) should be > > ignored. > > > > > > I'm having trouble reproducing this warning. Can you show us > > the entire > > > warning output? What version of Rails and Brakeman are you > using? > > > > > > Thanks! > > > > > > -Justin > > > > > > On 04/10/2013 04:06 PM, Matthew Brookes wrote: > > > > Hi! > > > > > > > > I'm getting an XSS warning for this: > > > > > > > > <%= image_tag > > > > > > > > > " > http://maps.google.com/maps/api/staticmap?size=610x450&sensor=false&zoom=15&markers=#{@location.latitude}%2C#{@location.longitude} > " > > > > %> > > > > > > > > Is there something I need to do to improve my code, or is > > this an > > > > expected false positive? > > > > > > > > Thanks! > > > > Matt. > > > > > > > > > > > > > > > > > > > > On 10 April 2013 18:09, Matthew Brookes <m...@brookes.net > > <mailto:m...@brookes.net> > > > <mailto:m...@brookes.net <mailto:m...@brookes.net>> > > > > <mailto:m...@brookes.net <mailto:m...@brookes.net> > > <mailto:m...@brookes.net <mailto:m...@brookes.net>>>> wrote: > > > > > > > > > > > > > > > > > > > > > > > >