Avoid render text to prevent XSS
Description
The application was found calling `render text:...` which actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use `render plain:...` to render non-HTML text.
Examples
Insecure Code
ruby
render text: user_inputSecure Code
ruby
render plain: user_inputRemediation
Replace 'render text:' with 'render plain:'
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0556 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | xss, cross-site scripting |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |
References
- https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/audit/xss/avoid-render-text.yaml