Got it. I submitted an issue, but when I RTFM'd (I should do that more
often!) link_to, it turns it can generate (I presume safely escaped?) query
strings, so I ended up with:
%= link_to 'View in Google Earth', earth_index_path(:location_id =
params[:id]) % which looks cleaner and keeps brakeman
Yes, Brakeman should probably not warn on to_param/to_query.
On 04/11/2013 01:36 PM, Matthew Brookes wrote:
Thanks Justin,
A quick search for CGI.escape brought me to this discussion
http://stackoverflow.com/a/13059657/1447810 on Ruby escape methods,
which in one of the comments had a link
Neil should probably confirm, but I believe the way to approach this
would be to use CGI.escape:
%= link_to View in Google Earth, earth_index_path ?location_id=
CGI.escape(@location.to_id.to_s) %
On 04/11/2013 10:13 AM, Matthew Brookes wrote:
Ach, sorry, my mistake - when I expanded the
Rails 2?
If so, those interpolated values would need to be h()'d
On Wed, Apr 10, 2013 at 4:06 PM, Matthew Brookes m...@brookes.net wrote:
Hi!
I'm getting an XSS warning for this:
%= image_tag
Actually, image_tag (and most other _tag methods) should be ignored.
I'm having trouble reproducing this warning. Can you show us the entire
warning output? What version of Rails and Brakeman are you using?
Thanks!
-Justin
On 04/10/2013 04:06 PM, Matthew Brookes wrote:
Hi!
I'm getting an