Overly strict "security issue" definition...

[swombat]

I really don't see what the "security issue" is with this code:

<div data-controller="<%= hide_button_text.present? ? " reveal" : "" %><%= has_files ? " file-upload" : "" %> <%= clear_on_submit ? " clear-fields" : "" %>" <%= compact_form ? "data-turbo-permanent" : "" %>>

There is no security issue in this, and I don't see an equivalently clear way to achieve this without using ERB output tags in params.

How can I disable this warning? (or better yet maybe it should not be a warning in the first place?)

Cheers!

[marcoroth]

Hey @swombat, thank you for reporting this!

The issue here is that you are using <%= within the HTML tag itself, which could be an issue if the user can control the Ruby/value inside that ERB tag. Right now it's not looking at the Ruby code at all, but ideally we could disable this warning if we can determine it's only dealing with static strings.

Also looking at the screenshot, I think the location is a bit misleading. The warning is triggered by the last part, the part in the attribute value itself is fine:

<div 
  data-controller="<%= hide_button_text.present? ? " reveal" : "" %><%= has_files ? " file-upload" : "" %> <%= clear_on_submit ? " clear-fields" : "" %>" 
  <!-- ^ this line is fine -->

  <%= compact_form ? "data-turbo-permanent" : "" %> 
  <!-- ^ this is the issue -->
>

Either you could rewrite this as:

<div 
  data-controller="<%= hide_button_text.present? ? " reveal" : "" %><%= has_files ? " file-upload" : "" %> <%= clear_on_submit ? " clear-fields" : "" %>" 

  <% if compact_form %> data-turbo-permanent <% end %>
>

or use a tag.div and tag.attributes/token_list to compose them:

<%= tag.div(
  data: {
    controller: token_list(
      "reveal" => hide_button_text.present?,
      "file-upload" => has_files,
      "clear-fields" => clear_on_submit
    ),
    turbo_permanent: compact_form ? true : nil
  }
) do %>
  ...
<% end %>

But I agree, the current situation is not ideal and should also somehow allow to be skipped.