I used brakeman for generating scanning reports in my application. It generated a Cross Site Scripting security warning in my view page as:
Unsafe parameter value in link_to href near line 3: link_to("", Instagram.authorize_url(:redirect_uri => ((Rails.application.config.custom.domain_url + "instagram/callback/?edit=") + (params[:id].present? ? (params[:id]) : ("")))), :id => "insta-sign-in-button")
This is my view:
<% if @instagram_oauth.nil? %>
<h2>Connect to your Instagram account</h2>
<%= link_to '', Instagram.authorize_url(:redirect_uri => Rails.application.config.custom.domain_url + 'instagram/callback/?edit=' + (params[:id].present? ? params[:id] : '')), :id => "insta-sign-in-button" %>
<% end %>
How to fix this warning?
答案 0 :(得分:1)
警告清楚地表明您正在将参数params[:id]直接传递给link_to,这可能很危险。
最好将一些对象传递给它。或者,如果你不能这样做,你可以在link_to中传递局部变量来摆脱这个警告。 但这不是一个合适的解决方案。
url_id = params[:id].present? ? params[:id] : ''
并在您的link_to网址中传递此内容。