I just started using the brakeman gem to research my rails app for security vulnerabilities.
I managed to get anything, except for a few warnings about errors between sites.
All of them have common similarities:
- All link_to tags
- They all have instance variables in the class, alt or title attributes
- All instance variables are an active write request that includes related models.
- All instance variables are "comments". This describes a polymorphic association for user comments, similar in approach to the revised version of this Railscast .
eg
<%= link_to "Click" , :class=> @model.association.attribute, :alt=> @model.association.attribute, :title=> @model.association.attribute, @model.association %>
Where
@model = @commentable = Model.includes(:association1, association2: {:nested-association1, :nested-association2}).find(params[:id])
-, / ? , Rails 3.2 .
, , , .