text should be escaped
|
"#{ui_glyph glyph_args} #{text}".html_safe |
table_title probably needs to be escaped. That or the + operator should be used which correctly handle safe and unsafe strings:
|
"#{table_glyph}#{table_title}".html_safe |
content[:label] is probable not safe
|
concat content_tag(:label, "#{abbr_html} #{content[:label]}".html_safe, class: label_classes) if content[:label] |
label est unsafe, c'est un XSS, garanti
|
[content_tag(:i, '', html_options), label].compact.join(' ').html_safe |
title est probablement unsafe selon les cas
|
link_to title.html_safe, url_for(url_options_o), { class: cls } |
- certains items ne sont probablement pas safe (je suppose que sinon tous auraient la méthode
render)
|
content_tag :div, @items.map { |item| item.respond_to?(:render) ? item.try(:render) : item }.join.html_safe, html_options |
probably needs further investigation:
|
content_tag :div, @items.join.html_safe, html_options |
|
content_tag :div, @items.join.html_safe, html_options |
- What's in
content?
|
content_tag :p, content.html_safe, html_options |
- What's in
@header and @footer?
|
[@header, @items.join, @footer].compact.join.html_safe |
|
[@header, @items.join, @footer].compact.join.html_safe |
|
[@header, @items.join, @footer].compact.join.html_safe |
- What's in
@actions?
probably not as problematic, but I believe these html_safe are not needed :
|
'data-bs-content' => @content.html_safe |
|
options[data_attribute].is_a?(String) ? options[data_attribute].html_safe : options[data_attribute] |
|
'data-bs-title' => @content.html_safe |
|
options[data_attribute].is_a?(String) ? options[data_attribute].html_safe : options[data_attribute] |