Recognize how slim sometimes outputs safe html (with `escape_html_safe`)

Reduces slim XSS false positives in cases where brakeman is run in the context of an app that includes active support. Templates compile down to Template::Utils.escape_html_utils if Active Support's `html_safe?` method is defined. See: https://github.com/judofyr/temple/blob/master/lib/temple/filters/escapable.rb#L12

Recognize how slim sometimes outputs safe html (with `escape_html_safe`)
Reduces slim XSS false positives in cases where brakeman is run in the context of an app that includes active support. Templates compile down to Template::Utils.escape_html_utils if Active Support's `html_safe?` method is defined. See: https://github.com/judofyr/temple/blob/master/lib/temple/filters/escapable.rb#L12
988f908a · Noah Davis · 7ebe5266 · 988f908a
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

lib/brakeman/processors/slim_template_processor.rb lib/brakeman/processors/slim_template_processor.rb +1 -1

未找到文件。
--- a/lib/brakeman/processors/slim_template_processor.rb
+++ b/lib/brakeman/processors/slim_template_processor.rb
@@ -96,7 +96,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
  def is_escaped? exp
    call? exp and
    exp.target == TEMPLE_UTILS and
-    exp.method == :escape_html
+    (exp.method == :escape_html or exp.method == :escape_html_safe)
  end

  def render? exp