Code Climate is giving me a "Cross Site Scripting" error on this line of code in one of the html.haml:
= link_to 'Next', @redirect_uri, data: { no_turbolink: true }, class: 'btn btn-primary'
In the controller, @redirect_uri is:
@redirect_uri = params[:redirect_uri] << "&show_more_pages=false"
params[:redirect_uri] is a very long url with the redirect uri in it.
What exactly is wrong and how can I make Code Climate happy?
Code Climate is complaining because you're embedding the potentially user-provided redirect_uri in your page. That URI might be JavaScript, which would execute when a user clicks the link. Because the user's clicking a link rendered by your page, the JS has access to the page as if you'd written the code yourself, so someone devious can exfiltrate all sorts of information you intended only the user and your server to have access to.
Try it out with a link like this:
http://your.web.site/?redirect_uri=alert('Boom');
Since you're in Rails, you have access to sanitize, which cleans out evil parts of the URL for you and I expect will quiet Code Climate. There are also a few SO questions around that might help:
