Ruby Xss In Raw Helper
Description
This detector identifies Cross-Site Scripting (XSS) vulnerabilities in Ruby applications where user input is passed directly to the `raw` helper method without proper sanitization. The `raw` helper bypasses HTML escaping and outputs content directly to the browser, making it vulnerable to script injection attacks when untrusted data is used.
Detection Strategy
• The detector triggers when it finds calls to the `raw` helper method in Ruby code
• It examines the first argument passed to the `raw` method to determine if it contains unsafe user input
• A vulnerability is reported when the argument to `raw` comes from user-controlled sources (like request parameters, form inputs, or database values) that haven't been properly sanitized
• The analysis includes checking whether any sanitization functions have been applied to the input before it reaches the `raw` helper
Vulnerable code example
class PagesController < ApplicationController
def show
# VULNERABLE: raw() bypasses HTML escaping with user input
name_html = raw params[:name]
# VULNERABLE: cookies are user-controlled data
banner = raw(cookies[:banner_text])
...✅ Secure code example
class PagesController < ApplicationController
def show
# SAFE: h() escapes HTML entities to prevent XSS
name_html = h(params[:name])
# SAFE: HTML escape cookie values from users
banner = h(cookies[:banner_text])
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.