Skip to content

B
Brakeman

李少辉-开发者 / Brakeman

通知 1
Star 0
Fork 0
B
Brakeman

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 ee558334 编写于 作者: J Justin
浏览文件
操作

Merge pull request #392 from presidentbeef/to_json_escaped_in_rails4 

Do not warn about XSS with `to_json` in Rails 4
上级 773a7b82 5ffafd80
隐藏空白更改
内联 并排
Showing with 42 addition and 0 deletion
lib/brakeman/checks/check_cross_site_scripting.rb
浏览文件 @ ee558334
......@@ -66,6 +66,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
json_escape_on = true
elsif version_between? "4.0.0", "5.0.0"
json_escape_on = true
end
if !json_escape_on or version_between? "0.0.0", "2.0.99"
......
test/apps/rails4/app/models/user.rb 0 → 100644
浏览文件 @ ee558334
class User < ActiveRecord::Base
end
test/tests/rails4.rb
浏览文件 @ ee558334
......@@ -29,4 +29,42 @@ class Rails4Tests < Test::Unit::TestCase
:file => /secret_token\.rb/,
:relative_path => "config/initializers/secret_token.rb"
end
def test_json_escaped_by_default_in_rails_4
assert_no_warning :type => :template,
:warning_code => 5,
:fingerprint => "3eedfa40819ce95d1d999ad19464023688a0e8bb881fc3e7683b6c3fffb7e51f",
:warning_type => "Cross Site Scripting",
:line => 1,
:message => /^Unescaped\ model\ attribute\ in\ JSON\ hash/,
:confidence => 0,
:relative_path => "app/views/users/index.html.erb"
assert_no_warning :type => :template,
:warning_code => 5,
:fingerprint => "fb0cb7e94e9a4bebd81ef44b336e02f68bf24f2c40e28d4bb5c21641276ea6cf",
:warning_type => "Cross Site Scripting",
:line => 3,
:message => /^Unescaped\ model\ attribute/,
:confidence => 2,
:relative_path => "app/views/users/index.html.erb"
assert_no_warning :type => :template,
:warning_code => 5,
:fingerprint => "8ce0a9eacf25be1f862b9074e6ba477d2f0e2ac86955b8510052984570b92d14",
:warning_type => "Cross Site Scripting",
:line => 5,
:message => /^Unescaped\ parameter\ value\ in\ JSON\ hash/,
:confidence => 0,
:relative_path => "app/views/users/index.html.erb"
assert_no_warning :type => :template,
:warning_code => 2,
:fingerprint => "b107fcc7742084a766a31332ba5c126f1c1a1cc062884f879dc3204c5f7620c5",
:warning_type => "Cross Site Scripting",
:line => 7,
:message => /^Unescaped\ parameter\ value/,
:confidence => 0,
:relative_path => "app/views/users/index.html.erb"
end
end
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册