i used brakeman generating scanning reports in application. generated many cross site scripting security warnings high confidence. in 1 of them is:
unescaped parameter value rendered inline near line 47: render(text => "unexpected eventtype #{params["eventtype"]}", { :status => 406 }) app/controllers/event_controller.rb. in controller method shown below, 1st line showing above warning.
i have seen in link couldn't fix. please help. , controller code:
def purchase render :status => 406, :text => "unexpected eventtype #{params['eventtype']}" , return unless params['eventtype'] == 'purchased' @account = account.new render :status => 406, :text => "could not find plan #{params['plan']}" , return unless @account.plan = @plan = subscriptionplan.find_by_name(params['plan']) end
when using render :text => ... rails still renders output html (with content type text/html). since code putting user input (params['eventtype']) directly in output, classic cross-site scripting vulnerability.
you have 2 options. use render :plain instead (which render content type text/plain instead of html):
render :status => 406, :plain => "unexpected eventtype #{params['eventtype']}" or escape user input:
render :status => 406, :text => "unexpected eventtype #{erb::util.html_escape(params['eventtype'])}" 
Comments
Post a Comment