Avoid render inline to prevent cross-site scripting (XSS)
Description
The application was found calling `render inline:...` which renders an entire ERB template inline and is potentially dangerous. If user supplied input is used, the application can be exploited by malicious actors via server-side template injection (SSTI) or cross-site scripting (XSS) attacks.
Examples
Insecure Code
ruby
render inline: '...', locals: { user_input: params[:user_input] }Secure Code
ruby
render partial: 'users/user_input', locals: { user_input: params[:user_input] }Remediation
Use a partial or another safe rendering method instead of `render inline:...`. Sanitize user input when displaying it in a view.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0555 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | xss, ssti, erb |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |
References
- https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/audit/xss/avoid-render-inline.yaml