How to safely render Action Text?

sdubois · January 10, 2021, 3:37pm

The Action Text guide instructs to render rich text with = @message.content (I don’t use the <% %> symbols as I am using slim templates).

However this renders the raw HTML source code:

I can fix this by replacing with == @message.content:

But then it yields a brakeman vulnerability error:

Confidence: Weak
Category: Cross-Site Scripting
Check: CrossSiteScripting
Message: Unescaped parameter value
Code: authorize(@posts.find_by_uid!(params.require(:id))[/.*--(.*)/, 1]).body
File: app/views/posts/show.html.slim
Line: 26

What is the correct and safe way to render Action Text?

sdubois · January 11, 2021, 8:19am

OK, I’ve escaped the parameter using CGI::escapeHTML. This makes brakeman happy.

However I still wonder why the guide instructs using = instead of ==?

raulp · January 12, 2021, 12:15pm

Hey,

I’ve tried looking into this and see if I can reproduce your issue.

I’m on Rails 6.1 and currently use ERB templates, but used HAML in the past (which don’t require enclosing Ruby injection in <% %>).

I’ve added brakeman to my project and ran a quick scan. I did not get the XSS error for rendering the ActionText content, and from what brakeman reports the issue is with a different line in your view (your authorize call). I’m not sure this is related to ActionText. Maybe if you can add more context to this, I can continue dig into the issue (your controller action + complete view content).

For Slim it seems like you should use == according to this (GitHub - slim-template/slim: Slim is a template language whose goal is to reduce the syntax to the essential parts without becoming cryptic.) to not escape, just as it is with a yield call. The ActionText guide is based on ERB templates so that’s why it puts only one = instead of two.

sdubois · January 12, 2021, 1:38pm

Thanks Raul, about brakeman I found a proper fix so it’s not a problem. For historical reasons I’m loading my posts from the URL in a pretty non-standard way (find_by_uid!(params.require(:id))[/.*--(.*)/, 1])), so maybe escapeHTML is needed because of this, but anyway it doesn’t matter. This fix is good enough and I’ll see in the future if it’s still needed when cleaning up the code.

Also good to know about this difference between erb and slim (= vs. ==)!

Malcom156 · January 26, 2021, 9:23pm

I have the exact same problem. Have tried a variety of things.

jonathanhefner · January 27, 2021, 4:52pm

I believe this is the same issue as: ActionText: renders raw html when using slim-rails. Rails 6.0.0rc2 & ruby 2.5.5 · Issue #36955 · rails/rails · GitHub.

Malcom156 · June 2, 2021, 8:59am

Big thanks for the useful info.

zzak · June 2, 2021, 11:10am

I think this issue has been resolved, but if anyone knows otherwise please let me know!

Topic		Replies	Views
Js.erb render html string rubyonrails-talk	4	414	April 22, 2015
2.3.8 v. 3.1.1 text escaping rubyonrails-talk	1	295	December 25, 2011
Rails 3 and html_safe rubyonrails-talk	4	170	May 17, 2010
Escaping characters in controller rubyonrails-talk	5	191	November 22, 2006
Let's use <%== %> instead of <%= raw() %> rubyonrails-core patch	9	2509	November 8, 2010

How to safely render Action Text?

Related topics

More Resources