Version
@herb-tools/linter 0.10.1
Repro
<%= render SomeComponent.new(
columns: [
# This comment mentions the raw upstream value.
{ title: "Name", value: ->(record) { record.name } }
]
) %>
Run:
herb-lint --fail-level warning example.html.erb
Expected
No offense. The word raw is inside a Ruby comment, not a call to raw() and not unsafe output.
Actual
erb-no-unsafe-raw reports an offense at the start of the ERB output node:
Avoid `raw()` in ERB output. It bypasses HTML escaping and can cause cross-site scripting (XSS) vulnerabilities.
The highlighted location points at <%= render SomeComponent.new(, which makes it look like rendering a component is unsafe.
Version
@herb-tools/linter 0.10.1Repro
Run:
Expected
No offense. The word
rawis inside a Ruby comment, not a call toraw()and not unsafe output.Actual
erb-no-unsafe-rawreports an offense at the start of the ERB output node:The highlighted location points at
<%= render SomeComponent.new(, which makes it look like rendering a component is unsafe.