Summary
Add support for a file-level directive to disable security checks in Herb::Engine.
Background
The engine has security features via SecurityValidator that prevent potentially dangerous ERB patterns:
- Tag injection - blocks
<div <%= @attrs %>> (ERB output in tag attribute position)
- Attribute name injection - blocks
<div data-<%= @name %>="value"> (ERB output in attribute names)
These raise SecurityError with code SecurityViolation when detected.
Proposed Directive Format
Following the existing <%# herb:disable rule-name %> convention from the linter, the engine should support:
<%# herb:security false %>
Security Rules
| Rule Name |
Description |
tag-injection |
Allows ERB output in tag attribute position: <div <%= @attrs %>> |
attribute-name-injection |
Allows dynamic attribute names: <div data-<%= @name %>="value"> |
Alternatives Considered
<%# herb:disable security %> - Matches linter pattern exactly, but mixes linter and engine concerns
<%# herb:safety false %> - "Safety" vs "security" naming, but codebase already uses "security" terminology (SecurityValidator, SecurityError)
Summary
Add support for a file-level directive to disable security checks in
Herb::Engine.Background
The engine has security features via
SecurityValidatorthat prevent potentially dangerous ERB patterns:<div <%= @attrs %>>(ERB output in tag attribute position)<div data-<%= @name %>="value">(ERB output in attribute names)These raise
SecurityErrorwith codeSecurityViolationwhen detected.Proposed Directive Format
Following the existing
<%# herb:disable rule-name %>convention from the linter, the engine should support:<%# herb:security false %>Security Rules
tag-injection<div <%= @attrs %>>attribute-name-injection<div data-<%= @name %>="value">Alternatives Considered
<%# herb:disable security %>- Matches linter pattern exactly, but mixes linter and engine concerns<%# herb:safety false %>- "Safety" vs "security" naming, but codebase already uses "security" terminology (SecurityValidator,SecurityError)