labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

False positive warning when rendering a partial that has a local called `text`

Open strika opened this issue 1 year ago • 0 comments

Background

Brakeman version: 7.0.0 Rails version: 7.1.5.1 Ruby version: 3.3.7

Issue

The following code:

<%= render(
  "inventory_unit/shared/inventory_record",
  text: params.dig(:inventory_unit, :inventory_record, :comment)
) %>

Produces:

Confidence: High
Category: Cross-Site Scripting
Check: RenderInline
Message: Unescaped parameter value rendered inline
Code: render(text => params.dig(:inventory_unit, :inventory_record, :comment), {})
File: app/inventory/views/inventory_unit/new.html.erb
Line: 86

However, changing the parameter name from text to comment doesn't produce a warning:

<%= render(
  "inventory_unit/shared/inventory_record",
  comment: params.dig(:inventory_unit, :inventory_record, :comment)
) %>

strika avatar Jan 22 '25 12:01 strika