On 09/21/2013 05:12 PM, Justin Phillips wrote: > Hi, > I'm getting this > Cross Site Scripting | Unsafe model attribute in link_to href near line > 6: link_to(issue_summary_for_pin(+(Unresolved > Model).new+.actualized_id), path_for_pin(+(Unresolved > Model).new+.actualized_id)) > for this code > > > % if @actualized_issues.any? %> > <div class="supportedIssueList"> > <h3>Actionable Issues</h3> > <% @actualized_issues.each do |actualized_issue| %> > <%= link_to > issue_summary_for_pin(actualized_issue.actualized_id), > path_for_pin(actualized_issue.actualized_id) %> > <br/> > <% end %> > </div> > <% else %> > > What am I doing unsafely? I'm new to brakeman / rails. > Thanks! > -Justin
Hi Justin, Brakeman warns about potential user input in link_to because link_to will accept URLs with any protocol (like javascript: and data:). See this pull request for details: https://github.com/presidentbeef/brakeman/pull/45 In your case, I suspect path_for_pin() is a safe method, especially since it probably returns a path and not even a full URL. So this is a false positive for you. Unfortunately, the Brakeman warning is a little unclear in this case. First, "Unresolved Model" just means Brakeman is fairly certain "actualized_issue" is a model, but it isn't sure which model. Secondly, the code uses the same value for the text of the link and the URL, which caused Brakeman to mark both values (in the message) as dangerous because it uses a pretty naive method to point out the dangerous value. So, sorry for the confusion there. -Justin
