Ruby Xss Insecure Html Safe
Description
Detects unsafe usage of Ruby's html_safe method which can lead to Cross-Site Scripting (XSS) vulnerabilities. The html_safe method marks strings as safe HTML without performing sanitization, allowing attackers to potentially inject malicious scripts if untrusted data is marked as safe.
Detection Strategy
• Identifies calls to the html_safe method in Ruby code
• Reports a vulnerability when html_safe is called directly on element access expressions (e.g., params[:user], data[index], etc.)
• Flags cases where html_safe is used on variables or expressions that access data structures, which may contain unsanitized user input
Vulnerable code example
class UsersController < ApplicationController
def show
# Vulnerable: Direct user input marked as HTML safe without escaping
name_display = "<h1>Hello #{params[:name]}</h1>".html_safe
# Vulnerable: Raw request parameters marked as safe
bio = request.query_parameters[:bio].html_safe
...✅ Secure code example
class UsersController < ApplicationController
def show
# Escape user input before interpolation into HTML
escaped_name = ERB::Util.html_escape(params[:name])
name_display = "<h1>Hello #{escaped_name}</h1>".html_safe
# Sanitize bio to allow only safe HTML tags
bio = sanitize(request.query_parameters[:bio])...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.