Skip to content

Linter: erb-no-unsafe-raw false positive on raw inside Ruby comment in ERB output block #1807

Description

@florentmsl

Version

@herb-tools/linter 0.10.1

Repro

<%= render SomeComponent.new(
  columns: [
    # This comment mentions the raw upstream value.
    { title: "Name", value: ->(record) { record.name } }
  ]
) %>

Run:

herb-lint --fail-level warning example.html.erb

Expected

No offense. The word raw is inside a Ruby comment, not a call to raw() and not unsafe output.

Actual

erb-no-unsafe-raw reports an offense at the start of the ERB output node:

Avoid `raw()` in ERB output. It bypasses HTML escaping and can cause cross-site scripting (XSS) vulnerabilities.

The highlighted location points at <%= render SomeComponent.new(, which makes it look like rendering a component is unsafe.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions