Unescaped model attribute

Question

I have installed brakeman and getting security vulnerabilities.

Here is my warning

Unescaped model attribute rendered inline near line 24: render(inline => SendGridMailer.weekly_email([current_user], WeeklyNewsletterFactory.new.email(:preview => true)).html_part.body.raw_source, {})

Line:24

render inline: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source

I have tried this solution as suggested by brakeman but after doing this I start getting error Could not parse

render(inline: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source,{})

Rails - 4.2.4
Brakeman - 3.1.2
Ruby - 2.3.1

why I am getting this warning Unescaped model attribute rendered inline. And how to resolve it. Brakeman says it is cross-site scripting vulnerability — ankur, Jan 05 '18 at 09:09
I have already inserted code for line 24 render inline: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source — ankur, Jan 05 '18 at 09:12
Similar question here: https://stackoverflow.com/questions/38673359/brakeman-error-unescaped-model-attribute-near — Jagdeep Singh, Jan 05 '18 at 09:15
That's not a similar question. Please go through it once again — ankur, Jan 05 '18 at 09:15
What solution have you tried? Where did you find it? What exact error do you get? — Aleksei Matiushkin, Jan 05 '18 at 09:35
I have already posted the solution which I have tried just below my question. I find it in brakeman suggestions. I have updated my question so you can see the exact error now — ankur, Jan 05 '18 at 09:39
What does `SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source` return? A HTML fragment? A full HTML page? Just the text from the HTML Mail? Did you escape the everything within the Mailer view (aka is the returned value HTML safe)? — spickermann, Jan 05 '18 at 11:18

score 2 · Answer 1 · answered Jan 06 '18 at 04:13

When you call render inline: ..., Rails will treat the text passed in as an ERB template. This means if the string you provide has any <%...%> tags in it (or the possibility of an attacker inserting them), they will be executed as Ruby code.

If that is what you want, then there is no problem. Ignore the warning. But keep in mind this is dangerous! If an attacker can manipulate the text to insert ERB tags, they can execute arbitrary code on your server.

If you just want to output some HTML, use

render html: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source.html_safe

(Note there is the possibility of cross-site scripting if you are not escaping user input inside of the email).

If you meant to output plaintext, use

render plain: SendGridMailer.weekly_email([current_user], email).html_part.body.raw_source

Also, Brakeman does not output suggested code fixes, so you are likely misinterpreting the report.

score 2 · Accepted Answer · answered Sep 05 '18 at 06:44

2

You can make use of Premailer::Rails::Hook.perform

Premailer::Rails::Hook.perform(SendGridMailer.weekly_email([current_user], email)).html_part.body.raw_source

answered Sep 05 '18 at 06:44

Aniket Tiwari

3,561
4
21
61

score 1 · Answer 3 · answered Oct 30 '21 at 08:33

1

in a view you can add h() to escape the value and remove the brakeman warning

answered Oct 30 '21 at 08:33

Dorian

7,749
4
38
57

Unescaped model attribute

3 Answers3