Skip to content

Commit dbb239b

Browse files
committed
reorder and format rb/reflected-xss qhelp
1 parent d71dd3f commit dbb239b

1 file changed

Lines changed: 46 additions & 50 deletions

File tree

Lines changed: 46 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -1,59 +1,55 @@
11
<!DOCTYPE qhelp PUBLIC
2-
"-//Semmle//qhelp//EN"
3-
"qhelp.dtd">
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
44
<qhelp>
55

6-
<overview>
7-
<p>
8-
Directly writing user input (for example, an HTTP request parameter) to a webpage
9-
without properly sanitizing the input first, allows for a cross-site scripting
10-
vulnerability.
11-
</p>
12-
</overview>
6+
<overview>
7+
<p>
8+
Directly writing user input (for example, an HTTP request parameter) to a webpage
9+
without properly sanitizing the input first, allows for a cross-site scripting
10+
vulnerability.
11+
</p>
12+
</overview>
1313

14-
<recommendation>
15-
<p>
16-
To guard against cross-site scripting, consider escaping the input before
17-
writing user input to the page. In some frameworks, such as Rails, escaping will
18-
be performed implicitly and by default.
19-
</p>
20-
</recommendation>
14+
<recommendation>
15+
<p>
16+
To guard against cross-site scripting, consider escaping the input before
17+
writing user input to the page. In some frameworks, such as Rails, escaping will
18+
be performed implicitly and by default.
19+
</p>
2120

22-
<example>
23-
<p>
24-
For instance, the following example is safe because the
25-
<code>params[:user_name]</code> content within the output tags will be
26-
automatically HTML escaped before being output.
27-
</p>
28-
<sample src="examples/safe.html.erb" />
29-
</example>
21+
<p>
22+
Care should be taken when using methods such as <code>html_safe</code> or
23+
<code>raw</code>. These methods can be used to output a string without escaping
24+
it. As such, they should only be used when the string has already been manually
25+
escaped (for example, with the Rails <code>html_escape</code> method), or when
26+
the content is otherwise guaranteed to be safe (such as a hard-coded string).
27+
</p>
28+
</recommendation>
3029

31-
<recommendation>
32-
<p>
33-
Care should be taken when using methods such as <code>html_safe</code> or
34-
<code>raw</code>. These methods can be used to output a string without escaping
35-
it. As such, they should only be used when the string has already been manually
36-
escaped (for example, with the Rails <code>html_escape</code> method), or when
37-
the content is otherwise guaranteed to be safe (such as a hard-coded string).
38-
</p>
39-
</recommendation>
30+
<example>
31+
<p>
32+
In the following example is safe because the
33+
<code>params[:user_name]</code> content within the output tags will be
34+
automatically HTML escaped before being output.
35+
</p>
36+
<sample src="examples/safe.html.erb" />
4037

41-
<example>
42-
<p>
43-
The following example is unsafe because user-controlled input is output without
44-
escaping due to being marked as <code>html_safe</code>.
45-
</p>
46-
<sample src="examples/reflective_xss.html.erb" />
47-
</example>
38+
<p>
39+
However, the following example is unsafe because user-controlled input is
40+
output without escaping due to being marked as <code>html_safe</code>.
41+
</p>
42+
<sample src="examples/reflective_xss.html.erb" />
43+
</example>
4844

49-
<references>
50-
<li>
51-
OWASP:
52-
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss">XSS
53-
Ruby on Rails Cheatsheet</a>.
54-
</li>
55-
<li>
56-
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
57-
</li>
58-
</references>
45+
<references>
46+
<li>
47+
OWASP:
48+
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss">XSS
49+
Ruby on Rails Cheatsheet</a>.
50+
</li>
51+
<li>
52+
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
53+
</li>
54+
</references>
5955
</qhelp>

0 commit comments

Comments
 (0)