Merge pull request #154 from oreoshake/check_for_overwritten_initializer

Check for overridden initializer values

lib/brakeman/checks/check_cross_site_scripting.rb

@@ -58,8 +58,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @known_dangerous << :strip_tags
     end
 
-    matches = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    json_escape_on = matches.detect {|result| true? result[-1].first_arg}
+    json_escape_on = false
+    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    initializers.each {|result| json_escape_on = true? (result[-1].first_arg) }
 
     if !json_escape_on or version_between? "0.0.0", "2.0.99"
       @known_dangerous << :to_json

test/apps/rails3.1/app/views/users/json_test.html.erb

+<%= raw({:donkey => params[:donkey]}.to_json) %>
\ No newline at end of file

test/apps/rails3.1/config/initializers/set_escape_json.rb

+# this value will be overwritten in unset_escape_json.rb
+ActiveSupport.escape_html_entities_in_json = true

test/apps/rails3.1/config/initializers/unset_escape_json.rb

+# this overwrites the value set in set_escape_json
+ActiveSupport.escape_html_entities_in_json = false
\ No newline at end of file

test/tests/test_rails31.rb

@@ -13,7 +13,7 @@ class Rails31Tests < Test::Unit::TestCase
   def expected
     @expected ||= {
       :model => 0,
-      :template => 15,
+      :template => 16,
       :controller => 1,
       :warning => 48 }
   end
@@ -604,4 +604,13 @@ class Rails31Tests < Test::Unit::TestCase
       :confidence => 0,
       :file => /Gemfile/
   end
+
+  def test_to_json_with_overwritten_config
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :message => /^Unescaped parameter value in JSON hash/,
+      :confidence => 0,
+      :line => 1,
+      :file => /json_test\.html\.erb/
+  end
 end