-
-
Notifications
You must be signed in to change notification settings - Fork 6
Open
Description
textshould be escaped"#{ui_glyph glyph_args} #{text}".html_safe table_titleprobably needs to be escaped. That or the+operator should be used which correctly handle safe and unsafe strings:"#{table_glyph}#{table_title}".html_safe content[:label]is probable not safeconcat content_tag(:label, "#{abbr_html} #{content[:label]}".html_safe, class: label_classes) if content[:label] labelest unsafe, c'est un XSS, garanti[content_tag(:i, '', html_options), label].compact.join(' ').html_safe titleest probablement unsafe selon les caslink_to title.html_safe, url_for(url_options_o), { class: cls } - certains items ne sont probablement pas safe (je suppose que sinon tous auraient la méthode
render)content_tag :div, @items.map { |item| item.respond_to?(:render) ? item.try(:render) : item }.join.html_safe, html_options
probably needs further investigation:
content_tag :div, @items.join.html_safe, html_options content_tag :div, @items.join.html_safe, html_options - What's in
content?content_tag :p, content.html_safe, html_options - What's in
@headerand@footer?[@header, @items.join, @footer].compact.join.html_safe ui_bibz/lib/ui_bibz/ui/core/boxes/card.rb
Line 108 in e916b95
[@header, @items.join, @footer].compact.join.html_safe [@header, @items.join, @footer].compact.join.html_safe - What's in
@actions?d.html l.to_s.html_safe
probably not as problematic, but I believe these html_safe are not needed :
'data-bs-content' => @content.html_safe options[data_attribute].is_a?(String) ? options[data_attribute].html_safe : options[data_attribute] 'data-bs-title' => @content.html_safe options[data_attribute].is_a?(String) ? options[data_attribute].html_safe : options[data_attribute]
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels