Skip to content

Engine: <%# herb:security false %> directive #1161

Description

@marcoroth

Summary

Add support for a file-level directive to disable security checks in Herb::Engine.

Background

The engine has security features via SecurityValidator that prevent potentially dangerous ERB patterns:

  1. Tag injection - blocks <div <%= @attrs %>> (ERB output in tag attribute position)
  2. Attribute name injection - blocks <div data-<%= @name %>="value"> (ERB output in attribute names)

These raise SecurityError with code SecurityViolation when detected.

Proposed Directive Format

Following the existing <%# herb:disable rule-name %> convention from the linter, the engine should support:

<%# herb:security false %>                        

Security Rules

Rule Name Description
tag-injection Allows ERB output in tag attribute position: <div <%= @attrs %>>
attribute-name-injection Allows dynamic attribute names: <div data-<%= @name %>="value">

Alternatives Considered

  1. <%# herb:disable security %> - Matches linter pattern exactly, but mixes linter and engine concerns
  2. <%# herb:safety false %> - "Safety" vs "security" naming, but codebase already uses "security" terminology (SecurityValidator, SecurityError)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions