labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

Is it possible to enforce sanitization for all title attributes using `#h` or `#html_safe`?

Open ndbroadbent opened this issue 3 years ago • 1 comments

I have a few tooltips that need to use HTML tags, so I use Bootstrap tooltips with the html: true option: https://getbootstrap.com/docs/4.3/components/tooltips/#options

I've run into a few XSS issues where I've forgotten to escape the title attributes in my Rails views.

Is there a way I can configure brakeman to make sure I'm properly sanitizing every title attribute in my views? Or is it possible to write my own custom check class?

I'm starting to wonder if the html: true option is just too dangerous, but I do need the HTML support in my tooltips.

ndbroadbent avatar Nov 18 '22 01:11 ndbroadbent

Hi @ndbroadbent can you give an example of what the code looks like?

presidentbeef avatar Nov 18 '22 17:11 presidentbeef