我收到很多错误如下
Unescaped model attribute near line 20: show_errors(Objective.new(objective_params), :name)
展开 View
这是我的代码
module ApplicationHelper
# Error Helper for Form
def show_errors(object, field_name)
if object.errors.any? && object.errors.messages[field_name][0].present?
"<label class='text-error'>" + object.errors.messages[field_name][0] + "</label>"
else
return ""
end
end
end
最佳答案
来自刹车人 Cross Site Scripting文档:
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= some_method(cookie[:name]) %>
This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
最后一句话可能很重要。如果您确定您的值被转义,则此警告可能会被忽略/禁用。
关于ruby-on-rails - Brakeman 错误 - 附近未转义的模型属性,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38673359/