Re: [brakeman] Re:
Got it. I submitted an issue, but when I RTFM'd (I should do that more often!) link_to, it turns it can generate (I presume safely escaped?) query strings, so I ended up with: %= link_to 'View in Google Earth', earth_index_path(:location_id = params[:id]) % which looks cleaner and keeps brakeman happy. :-) Thanks! Matt. On 12 April 2013 15:53, Justin Collins jus...@presidentbeef.com wrote: Yes, Brakeman should probably not warn on to_param/to_query. On 04/11/2013 01:36 PM, Matthew Brookes wrote: Thanks Justin, A quick search for CGI.escape brought me to this discussion http://stackoverflow.com/a/13059657/1447810 on Ruby escape methods, which in one of the comments had a link to another discussion, which mentions http://stackoverflow.com/a/13626484/1447810 the ActiveSupport to_query/ CGI.escape wrapper, which among it's various forms lets me use: %= link_to 'View in Google Earth', earth_index_path'?'{location_id: @location.id http://location.id}.to_query % ...which escapes and builds the query string(s), so should be safe. Brakeman still has other ideas though: Unsafe model attribute in link_to href near line 12: link_to(View in Google Earth, ((earth_index_path ?) { :location_id = (+Location.find(params[:id])+.id) }.to_query)) ...but Brankeman's code expansion made me realise I should probably be using params[:id] directly (I'm using @location for other things in the view, but still...): %= link_to 'View in Google Earth', earth_index_path'?'{location_id: params[:id]}.to_query % Brakeman still has other ideas though: Unsafe parameter value in link_to href near line 12: link_to(View in Google Earth, ((earth_index_path ?) { :location_id = (+params+[:id]) }.to_query)) It doesn't like these forms either: params[:id].to_query(:location_id) params[:id].to_query('location_id') {:location_id = params[:id]}.to_query {location_id: params[:id]}.to_param So I tried plain CGI.escape as you suggested, and hey presto! So it seems brakeman doesn't know about to_query / to_param. Matt. On 11 April 2013 19:01, Justin Collins jus...@presidentbeef.com mailto:jus...@presidentbeef.com wrote: Neil should probably confirm, but I believe the way to approach this would be to use CGI.escape: %= link_to View in Google Earth, earth_index_path ?location_id= CGI.escape(@location.to_id.to_s) % On 04/11/2013 10:13 AM, Matthew Brookes wrote: Ach, sorry, my mistake - when I expanded the terminal window to copy as much of the warning as possible, I realised it was actually a link_to warning for the following line, caused by this rather ugly piece of code: %= link_to View in Google Earth, earth_index_path?location_id=@location.id.to_s % The earth#index view linked to here embeds the google-earth plugin, and passes the location id referenced by params[:location_id] as another query string back to a location resource as a networkLink request. This in turn sends the lat/lon (among other things) as kml to tell the google earth plugin where to center the view, and what to overlay. It's a bit of a daisy-chain, but it works! I could possibly use session / flash to pass the location_id, but using a querystring makes the link bookmarkable. Also, i /think /the google-earth plugin maintains its own session. Any ideas? Thanks! On 11 April 2013 01:01, Justin Collins jus...@presidentbeef.com mailto:jus...@presidentbeef.com mailto:jus...@presidentbeef.com mailto:jus...@presidentbeef.com wrote: Actually, image_tag (and most other _tag methods) should be ignored. I'm having trouble reproducing this warning. Can you show us the entire warning output? What version of Rails and Brakeman are you using? Thanks! -Justin On 04/10/2013 04:06 PM, Matthew Brookes wrote: Hi! I'm getting an XSS warning for this: %= image_tag http://maps.google.com/maps/api/staticmap?size=610x450sensor=falsezoom=15markers=#{@location.latitude}%2C#{@location.longitude} % Is there something I need to do to improve my code, or is this an expected false positive? Thanks! Matt. On 10 April 2013 18:09, Matthew Brookes m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net
Re: [brakeman] Re:
Yes, Brakeman should probably not warn on to_param/to_query. On 04/11/2013 01:36 PM, Matthew Brookes wrote: Thanks Justin, A quick search for CGI.escape brought me to this discussion http://stackoverflow.com/a/13059657/1447810 on Ruby escape methods, which in one of the comments had a link to another discussion, which mentions http://stackoverflow.com/a/13626484/1447810 the ActiveSupport to_query/ CGI.escape wrapper, which among it's various forms lets me use: %= link_to 'View in Google Earth', earth_index_path'?'{location_id: @location.id http://location.id}.to_query % ...which escapes and builds the query string(s), so should be safe. Brakeman still has other ideas though: Unsafe model attribute in link_to href near line 12: link_to(View in Google Earth, ((earth_index_path ?) { :location_id = (+Location.find(params[:id])+.id) }.to_query)) ...but Brankeman's code expansion made me realise I should probably be using params[:id] directly (I'm using @location for other things in the view, but still...): %= link_to 'View in Google Earth', earth_index_path'?'{location_id: params[:id]}.to_query % Brakeman still has other ideas though: Unsafe parameter value in link_to href near line 12: link_to(View in Google Earth, ((earth_index_path ?) { :location_id = (+params+[:id]) }.to_query)) It doesn't like these forms either: params[:id].to_query(:location_id) params[:id].to_query('location_id') {:location_id = params[:id]}.to_query {location_id: params[:id]}.to_param So I tried plain CGI.escape as you suggested, and hey presto! So it seems brakeman doesn't know about to_query / to_param. Matt. On 11 April 2013 19:01, Justin Collins jus...@presidentbeef.com mailto:jus...@presidentbeef.com wrote: Neil should probably confirm, but I believe the way to approach this would be to use CGI.escape: %= link_to View in Google Earth, earth_index_path ?location_id= CGI.escape(@location.to_id.to_s) % On 04/11/2013 10:13 AM, Matthew Brookes wrote: Ach, sorry, my mistake - when I expanded the terminal window to copy as much of the warning as possible, I realised it was actually a link_to warning for the following line, caused by this rather ugly piece of code: %= link_to View in Google Earth, earth_index_path?location_id=@location.id.to_s % The earth#index view linked to here embeds the google-earth plugin, and passes the location id referenced by params[:location_id] as another query string back to a location resource as a networkLink request. This in turn sends the lat/lon (among other things) as kml to tell the google earth plugin where to center the view, and what to overlay. It's a bit of a daisy-chain, but it works! I could possibly use session / flash to pass the location_id, but using a querystring makes the link bookmarkable. Also, i /think /the google-earth plugin maintains its own session. Any ideas? Thanks! On 11 April 2013 01:01, Justin Collins jus...@presidentbeef.com mailto:jus...@presidentbeef.com mailto:jus...@presidentbeef.com mailto:jus...@presidentbeef.com wrote: Actually, image_tag (and most other _tag methods) should be ignored. I'm having trouble reproducing this warning. Can you show us the entire warning output? What version of Rails and Brakeman are you using? Thanks! -Justin On 04/10/2013 04:06 PM, Matthew Brookes wrote: Hi! I'm getting an XSS warning for this: %= image_tag http://maps.google.com/maps/api/staticmap?size=610x450sensor=falsezoom=15markers=#{@location.latitude}%2C#{@location.longitude}; % Is there something I need to do to improve my code, or is this an expected false positive? Thanks! Matt. On 10 April 2013 18:09, Matthew Brookes m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net wrote:
Re: [brakeman] Re:
Neil should probably confirm, but I believe the way to approach this would be to use CGI.escape: %= link_to View in Google Earth, earth_index_path ?location_id= CGI.escape(@location.to_id.to_s) % On 04/11/2013 10:13 AM, Matthew Brookes wrote: Ach, sorry, my mistake - when I expanded the terminal window to copy as much of the warning as possible, I realised it was actually a link_to warning for the following line, caused by this rather ugly piece of code: %= link_to View in Google Earth, earth_index_path?location_id=@location.id.to_s % The earth#index view linked to here embeds the google-earth plugin, and passes the location id referenced by params[:location_id] as another query string back to a location resource as a networkLink request. This in turn sends the lat/lon (among other things) as kml to tell the google earth plugin where to center the view, and what to overlay. It's a bit of a daisy-chain, but it works! I could possibly use session / flash to pass the location_id, but using a querystring makes the link bookmarkable. Also, i /think /the google-earth plugin maintains its own session. Any ideas? Thanks! On 11 April 2013 01:01, Justin Collins jus...@presidentbeef.com mailto:jus...@presidentbeef.com wrote: Actually, image_tag (and most other _tag methods) should be ignored. I'm having trouble reproducing this warning. Can you show us the entire warning output? What version of Rails and Brakeman are you using? Thanks! -Justin On 04/10/2013 04:06 PM, Matthew Brookes wrote: Hi! I'm getting an XSS warning for this: %= image_tag http://maps.google.com/maps/api/staticmap?size=610x450sensor=falsezoom=15markers=#{@location.latitude}%2C#{@location.longitude}; % Is there something I need to do to improve my code, or is this an expected false positive? Thanks! Matt. On 10 April 2013 18:09, Matthew Brookes m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net mailto:m...@brookes.net wrote:
Re: [brakeman] Re:
Rails 2? If so, those interpolated values would need to be h()'d On Wed, Apr 10, 2013 at 4:06 PM, Matthew Brookes m...@brookes.net wrote: Hi! I'm getting an XSS warning for this: %= image_tag http://maps.google.com/maps/api/staticmap?size=610x450sensor=falsezoom=15markers=#{@location.latitude}%2C#{@location.longitude}; % Is there something I need to do to improve my code, or is this an expected false positive? Thanks! Matt. On 10 April 2013 18:09, Matthew Brookes m...@brookes.net wrote:
Re: [brakeman] Re:
Actually, image_tag (and most other _tag methods) should be ignored. I'm having trouble reproducing this warning. Can you show us the entire warning output? What version of Rails and Brakeman are you using? Thanks! -Justin On 04/10/2013 04:06 PM, Matthew Brookes wrote: Hi! I'm getting an XSS warning for this: %= image_tag http://maps.google.com/maps/api/staticmap?size=610x450sensor=falsezoom=15markers=#{@location.latitude}%2C#{@location.longitude}; % Is there something I need to do to improve my code, or is this an expected false positive? Thanks! Matt. On 10 April 2013 18:09, Matthew Brookes m...@brookes.net mailto:m...@brookes.net wrote: