Manual Creation of ERB Templates
Description
The application is manually creating ERB templates, which may expose it to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template.
Examples
Insecure Code
ruby
ERB.new(...)Secure Code
ruby
render 'messages/show'Remediation
Create a '.erb' template file and use 'render' instead of manually creating templates. Ensure user input is sanitized before assigning it to instance variables.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0557 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-79 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | xss, ssti, erb, template-injection |
| OWASP | A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection |