Unescaped model attribute

Question

I have installed brakeman and getting security vulnerabilities.

Here is my warning

Unescaped model attribute rendered inline near line 24: render(inline => SendGridMailer.weekly_email([current_user], WeeklyNewsletterFactory.new.email(:preview => true)).html_part.body.raw_source, {})

Line:24

render inline: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source

I have tried this solution as suggested by brakeman but after doing this I start getting error Could not parse

render(inline: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source,{}) 

Rails - 4.2.4
Brakeman - 3.1.2
Ruby - 2.3.1

Answer 1

You can make use of Premailer::Rails::Hook.perform

Premailer::Rails::Hook.perform(SendGridMailer.weekly_email([current_user], email)).html_part.body.raw_source

Answer 2

When you call render inline: ..., Rails will treat the text passed in as an ERB template. This means if the string you provide has any <%...%> tags in it (or the possibility of an attacker inserting them), they will be executed as Ruby code.

If that is what you want, then there is no problem. Ignore the warning. But keep in mind this is dangerous! If an attacker can manipulate the text to insert ERB tags, they can execute arbitrary code on your server.

If you just want to output some HTML, use

render html: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source.html_safe

(Note there is the possibility of cross-site scripting if you are not escaping user input inside of the email).

If you meant to output plaintext, use

render plain: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source

Also, Brakeman does not output suggested code fixes, so you are likely misinterpreting the report.

Answer 3

in a view you can add h() to escape the value and remove the brakeman warning